Backed out 2 changesets (bug 1652677) for build bustages on nsHttpConnection.cpp. CLOSED TREE

Backed out changeset 7df7bfbfbc6e (bug 1652677)
Backed out changeset 435ff20fa8c6 (bug 1652677)

dom/media/webrtc/transport/test/webrtcproxychannel_unittest.cpp

@@ -178,11 +178,7 @@ class FakeSocketTransportProvider : public nsISocketTransport {
     MOZ_ASSERT(false);
     return NS_OK;
   }
-  NS_IMETHOD GetEchConfigUsed(bool* aEchConfigUsed) override {
-    MOZ_ASSERT(false);
-    return NS_OK;
-  }
-  NS_IMETHOD SetEchConfig(const nsACString& aEchConfig) override {
+  NS_IMETHOD GetEsniUsed(bool* aEsniUsed) override {
     MOZ_ASSERT(false);
     return NS_OK;
   }

modules/libpref/init/StaticPrefList.yaml

@@ -8517,7 +8517,7 @@
   value: false
   mirror: always
 
-# Whether to use HTTPS RR as AltSvc
+  # Whether to use HTTPS RR as AltSvc
 - name: network.dns.use_https_rr_as_altsvc
   type: RelaxedAtomicBool
   value: false
@@ -8529,12 +8529,6 @@
   value: true
   mirror: always
 
-# Whether to enable echconfig.
-- name: network.dns.echconfig.enabled
-  type: RelaxedAtomicBool
-  value: false
-  mirror: always
-
 #---------------------------------------------------------------------------
 # Prefs starting with "nglayout."
 #---------------------------------------------------------------------------

netwerk/base/FuzzySecurityInfo.cpp

@@ -311,10 +311,10 @@ FuzzySecurityInfo::SetNPNList(nsTArray<nsCString>& protocolArray) {
 }
 
 NS_IMETHODIMP
-FuzzySecurityInfo::GetEchConfig(nsACString& aEchConfig) { return NS_OK; }
+FuzzySecurityInfo::GetEsniTxt(nsACString& aEsniTxt) { return NS_OK; }
 
 NS_IMETHODIMP
-FuzzySecurityInfo::SetEchConfig(const nsACString& aEchConfig) {
+FuzzySecurityInfo::SetEsniTxt(const nsACString& aEsniTxt) {
   MOZ_CRASH("Unused");
   return NS_OK;
 }

netwerk/base/nsISocketTransport.idl

@@ -255,9 +255,9 @@ interface nsISocketTransport : nsITransport
 
     /**
      * If we know that a server speaks only tls <1.3 there is no need to try
-     * to use ech and query dns for echconfig.
+     * to use esni and query dns for esni keys.
      */
-    const unsigned long DONT_TRY_ECH = (1 << 10);
+    const unsigned long DONT_TRY_ESNI = (1 << 10);
 
     /**
      * These two bits encode the TRR mode of the request.
@@ -326,12 +326,10 @@ interface nsISocketTransport : nsITransport
     readonly attribute boolean resetIPFamilyPreference;
 
     /**
-     * This attribute holds information whether echconfig has been used.
+     * This attribute holds information whether esni has been used.
      * The value is set after PR_Connect is called.
      */
-   readonly attribute boolean echConfigUsed;
-
-   void setEchConfig(in ACString echConfig);
+   readonly attribute boolean esniUsed;
 
     /**
      * IP address resolved using TRR.

netwerk/base/nsSocketTransport2.cpp

@@ -710,7 +710,10 @@ nsSocketTransport::nsSocketTransport()
       mInputClosed(true),
       mOutputClosed(true),
       mResolving(false),
-      mEchConfigUsed(false),
+      mDNSLookupStatus(NS_OK),
+      mDNSARequestFinished(0),
+      mEsniQueried(false),
+      mEsniUsed(false),
       mResolvedByTRR(false),
       mNetAddrIsSet(false),
       mSelfAddrIsSet(false),
@@ -1069,6 +1072,36 @@ nsresult nsSocketTransport::ResolveHost() {
       dns->AsyncResolveNative(SocketHost(), nsIDNSService::RESOLVE_TYPE_DEFAULT,
                               dnsFlags, nullptr, this, mSocketTransportService,
                               mOriginAttributes, getter_AddRefs(mDNSRequest));
+  mEsniQueried = false;
+  if (mSocketTransportService->IsEsniEnabled() && NS_SUCCEEDED(rv) &&
+      !(mConnectionFlags & (DONT_TRY_ESNI | BE_CONSERVATIVE))) {
+    bool isSSL = false;
+    for (unsigned int i = 0; i < mTypes.Length(); ++i) {
+      if (mTypes[i].EqualsLiteral("ssl")) {
+        isSSL = true;
+        break;
+      }
+    }
+    if (isSSL) {
+      SOCKET_LOG((" look for esni txt record"));
+      nsAutoCString esniHost;
+      esniHost.Append("_esni.");
+      // This might end up being the SocketHost
+      // see https://github.com/ekr/draft-rescorla-tls-esni/issues/61
+      esniHost.Append(SocketHost());
+      rv = dns->AsyncResolveNative(esniHost, nsIDNSService::RESOLVE_TYPE_TXT,
+                                   dnsFlags, nullptr, this,
+                                   mSocketTransportService, mOriginAttributes,
+                                   getter_AddRefs(mDNSTxtRequest));
+      if (NS_FAILED(rv)) {
+        SOCKET_LOG(("  dns request by type failed."));
+        mDNSTxtRequest = nullptr;
+        rv = NS_OK;
+      } else {
+        mEsniQueried = true;
+      }
+    }
+  }
 
   if (NS_SUCCEEDED(rv)) {
     SOCKET_LOG(("  advancing to STATE_RESOLVING\n"));
@@ -1525,16 +1558,15 @@ nsresult nsSocketTransport::InitiateSocket() {
   }
 #endif
 
-  if (!mEchConfig.IsEmpty() &&
-      !(mConnectionFlags & (DONT_TRY_ECH | BE_CONSERVATIVE)) && mSecInfo) {
+  if (!mDNSRecordTxt.IsEmpty() && !mUsingQuic && mSecInfo) {
     nsCOMPtr<nsISSLSocketControl> secCtrl = do_QueryInterface(mSecInfo);
     if (secCtrl) {
-      SOCKET_LOG(("nsSocketTransport::InitiateSocket set echconfig."));
-      rv = secCtrl->SetEchConfig(mEchConfig);
+      SOCKET_LOG(("nsSocketTransport::InitiateSocket set esni keys."));
+      rv = secCtrl->SetEsniTxt(mDNSRecordTxt);
       if (NS_FAILED(rv)) {
         return rv;
       }
-      mEchConfigUsed = true;
+      mEsniUsed = true;
     }
   }
 
@@ -2149,12 +2181,14 @@ void nsSocketTransport::OnSocketEvent(uint32_t type, nsresult status,
       break;
 
     case MSG_DNS_LOOKUP_COMPLETE:
-      if (mDNSRequest) {  // only send this if we actually resolved anything
+      if (mDNSRequest ||
+          mDNSTxtRequest) {  // only send this if we actually resolved anything
         SendStatus(NS_NET_STATUS_RESOLVED_HOST);
       }
 
       SOCKET_LOG(("  MSG_DNS_LOOKUP_COMPLETE\n"));
       mDNSRequest = nullptr;
+      mDNSTxtRequest = nullptr;
       if (mDNSRecord) {
         mDNSRecord->GetNextAddr(SocketPort(), &mNetAddr);
         mDNSRecord->IsTRR(&mResolvedByTRR);
@@ -2427,6 +2461,11 @@ void nsSocketTransport::OnSocketDetached(PRFileDesc* fd) {
       mDNSRequest = nullptr;
     }
 
+    if (mDNSTxtRequest) {
+      mDNSTxtRequest->Cancel(NS_ERROR_ABORT);
+      mDNSTxtRequest = nullptr;
+    }
+
     //
     // notify input/output streams
     //
@@ -2951,21 +2990,65 @@ nsSocketTransport::OnLookupComplete(nsICancelable* request, nsIDNSRecord* rec,
               ".",
               this, static_cast<uint32_t>(status)));
 
-  if (NS_SUCCEEDED(status)) {
+  if (request == mDNSTxtRequest) {
+    if (NS_SUCCEEDED(status)) {
+      nsCOMPtr<nsIDNSTXTRecord> txtResponse = do_QueryInterface(rec);
+      txtResponse->GetRecordsAsOneString(mDNSRecordTxt);
+      mDNSRecordTxt.Trim(" ");
+    }
+    Telemetry::Accumulate(Telemetry::ESNI_KEYS_RECORDS_FOUND,
+                          NS_SUCCEEDED(status));
+    // flag host lookup complete for the benefit of the ResolveHost method.
+    if (!mDNSRequest) {
+      mResolving = false;
+      MOZ_ASSERT(mDNSARequestFinished);
+      Telemetry::Accumulate(
+          Telemetry::ESNI_KEYS_RECORD_FETCH_DELAYS,
+          PR_IntervalToMilliseconds(PR_IntervalNow() - mDNSARequestFinished));
+
+      nsresult rv =
+          PostEvent(MSG_DNS_LOOKUP_COMPLETE, mDNSLookupStatus, nullptr);
+
+      // if posting a message fails, then we should assume that the socket
+      // transport has been shutdown.  this should never happen!  if it does
+      // it means that the socket transport service was shutdown before the
+      // DNS service.
+      if (NS_FAILED(rv)) {
+        NS_WARNING("unable to post DNS lookup complete message");
+      }
+    } else {
+      mDNSTxtRequest = nullptr;
+    }
+    return NS_OK;
+  }
+
+  if (NS_FAILED(status) && mDNSTxtRequest) {
+    mDNSTxtRequest->Cancel(NS_ERROR_ABORT);
+  } else if (NS_SUCCEEDED(status)) {
     mDNSRecord = do_QueryInterface(rec);
     MOZ_ASSERT(mDNSRecord);
   }
 
   // flag host lookup complete for the benefit of the ResolveHost method.
-  mResolving = false;
-  nsresult rv = PostEvent(MSG_DNS_LOOKUP_COMPLETE, status, nullptr);
+  if (!mDNSTxtRequest) {
+    if (mEsniQueried) {
+      Telemetry::Accumulate(Telemetry::ESNI_KEYS_RECORD_FETCH_DELAYS, 0);
+    }
+    mResolving = false;
+    nsresult rv = PostEvent(MSG_DNS_LOOKUP_COMPLETE, status, nullptr);
 
-  // if posting a message fails, then we should assume that the socket
-  // transport has been shutdown.  this should never happen!  if it does
-  // it means that the socket transport service was shutdown before the
-  // DNS service.
-  if (NS_FAILED(rv)) {
-    NS_WARNING("unable to post DNS lookup complete message");
+    // if posting a message fails, then we should assume that the socket
+    // transport has been shutdown.  this should never happen!  if it does
+    // it means that the socket transport service was shutdown before the
+    // DNS service.
+    if (NS_FAILED(rv)) {
+      NS_WARNING("unable to post DNS lookup complete message");
+    }
+  } else {
+    mDNSLookupStatus =
+        status;  // remember the status to send it when esni lookup is ready.
+    mDNSRequest = nullptr;
+    mDNSARequestFinished = PR_IntervalNow();
   }
 
   return NS_OK;
@@ -3540,14 +3623,8 @@ nsSocketTransport::GetResetIPFamilyPreference(bool* aReset) {
 }
 
 NS_IMETHODIMP
-nsSocketTransport::GetEchConfigUsed(bool* aEchConfigUsed) {
-  *aEchConfigUsed = mEchConfigUsed;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSocketTransport::SetEchConfig(const nsACString& aEchConfig) {
-  mEchConfig = aEchConfig;
+nsSocketTransport::GetEsniUsed(bool* aEsniUsed) {
+  *aEsniUsed = mEsniUsed;
   return NS_OK;
 }
 

netwerk/base/nsSocketTransport2.h

@@ -327,8 +327,12 @@ class nsSocketTransport final : public nsASocketHandler,
   nsCOMPtr<nsICancelable> mDNSRequest;
   nsCOMPtr<nsIDNSAddrRecord> mDNSRecord;
 
-  nsCString mEchConfig;
-  bool mEchConfigUsed;
+  nsresult mDNSLookupStatus;
+  PRIntervalTime mDNSARequestFinished;
+  nsCOMPtr<nsICancelable> mDNSTxtRequest;
+  nsCString mDNSRecordTxt;
+  bool mEsniQueried;
+  bool mEsniUsed;
   bool mResolvedByTRR;
 
   // mNetAddr/mSelfAddr is valid from GetPeerAddr()/GetSelfAddr() once we have

netwerk/dns/HTTPSSVC.cpp

@@ -5,7 +5,6 @@
 #include "HTTPSSVC.h"
 #include "mozilla/net/DNS.h"
 #include "nsHttp.h"
-#include "nsHttpHandler.h"
 #include "nsNetAddr.h"
 
 namespace mozilla {
@@ -131,19 +130,6 @@ SvcParam::GetIpv6Hint(nsTArray<RefPtr<nsINetAddr>>& aIpv6Hint) {
   return NS_OK;
 }
 
-bool SVCB::operator<(const SVCB& aOther) const {
-  if (gHttpHandler->EchConfigEnabled()) {
-    if (mHasEchConfig && !aOther.mHasEchConfig) {
-      return true;
-    }
-    if (!mHasEchConfig && aOther.mHasEchConfig) {
-      return false;
-    }
-  }
-
-  return mSvcFieldPriority < aOther.mSvcFieldPriority;
-}
-
 Maybe<uint16_t> SVCB::GetPort() const {
   Maybe<uint16_t> port;
   for (const auto& value : mSvcFieldValue) {
@@ -214,11 +200,6 @@ Maybe<uint16_t> SVCBRecord::GetPort() { return mPort; }
 
 Maybe<nsCString> SVCBRecord::GetAlpn() { return mAlpn; }
 
-NS_IMETHODIMP SVCBRecord::GetEchConfig(nsACString& aEchConfig) {
-  aEchConfig = mData.mEchConfig;
-  return NS_OK;
-}
-
 NS_IMETHODIMP SVCBRecord::GetValues(nsTArray<RefPtr<nsISVCParam>>& aValues) {
   for (const auto& v : mData.mSvcFieldValue) {
     RefPtr<nsISVCParam> param = new SvcParam(v.mValue);

netwerk/dns/HTTPSSVC.h

@@ -82,16 +82,16 @@ struct SVCB {
            mSvcDomainName == aOther.mSvcDomainName &&
            mSvcFieldValue == aOther.mSvcFieldValue;
   }
-  bool operator<(const SVCB& aOther) const;
+  bool operator<(const SVCB& aOther) const {
+    return mSvcFieldPriority < aOther.mSvcFieldPriority;
+  }
   Maybe<uint16_t> GetPort() const;
   bool NoDefaultAlpn() const;
   Maybe<nsCString> GetAlpn(bool aNoHttp2, bool aNoHttp3) const;
   void GetIPHints(CopyableTArray<mozilla::net::NetAddr>& aAddresses) const;
   uint16_t mSvcFieldPriority = 0;
   nsCString mSvcDomainName;
-  nsCString mEchConfig;
   bool mHasIPHints = false;
-  bool mHasEchConfig = false;
   CopyableTArray<SvcFieldValue> mSvcFieldValue;
 };
 

netwerk/dns/TRR.cpp

@@ -1095,10 +1095,6 @@ nsresult TRR::DohDecode(nsCString& aHost) {
                 value.mValue.is<SvcParamIpv6Hint>()) {
               parsed.mHasIPHints = true;
             }
-            if (value.mValue.is<SvcParamEchConfig>()) {
-              parsed.mHasEchConfig = true;
-              parsed.mEchConfig = value.mValue.as<SvcParamEchConfig>().mValue;
-            }
             parsed.mSvcFieldValue.AppendElement(value);
           }
 

netwerk/dns/nsIDNSByTypeRecord.idl

@@ -92,7 +92,6 @@ interface nsISVCBRecord : nsISupports {
   readonly attribute ACString name;
   [noscript, nostdcall, notxpcom] readonly attribute MaybePort port;
   [noscript, nostdcall, notxpcom] readonly attribute MaybeAlpn alpn;
-  readonly attribute ACString echConfig;
   readonly attribute bool hasIPHintAddress;
   readonly attribute Array<nsISVCParam> values;
 };

netwerk/ipc/NeckoChannelParams.ipdlh

@@ -367,7 +367,6 @@ struct HttpConnectionInfoCloneArgs
   nsCString topWindowOrigin;
   bool isHttp3;
   bool hasIPHintAddress;
-  nsCString echConfig;
   ProxyInfoCloneArgs[] proxyInfo;
 };
 

netwerk/protocol/http/TunnelUtils.cpp

@@ -2060,17 +2060,9 @@ SocketTransportShim::GetFirstRetryError(nsresult* aFirstRetryError) {
 }
 
 NS_IMETHODIMP
-SocketTransportShim::GetEchConfigUsed(bool* aEchConfigUsed) {
+SocketTransportShim::GetEsniUsed(bool* aEsniUsed) {
   if (mIsWebsocket) {
-    LOG3(("WARNING: SocketTransportShim::GetEchConfigUsed %p", this));
-  }
-  return NS_ERROR_NOT_IMPLEMENTED;
-}
-
-NS_IMETHODIMP
-SocketTransportShim::SetEchConfig(const nsACString& aEchConfig) {
-  if (mIsWebsocket) {
-    LOG3(("WARNING: SocketTransportShim::SetEchConfig %p", this));
+    LOG3(("WARNING: SocketTransportShim::GetEsniUsed %p", this));
   }
   return NS_ERROR_NOT_IMPLEMENTED;
 }

netwerk/protocol/http/nsHttpConnection.cpp

@@ -701,6 +701,19 @@ npnComplete:
     mDid0RTTSpdy = false;
   }
 
+  if (ssl) {
+    // Telemetry for tls failure rate with and without esni;
+    bool esni = false;
+    rv = mSocketTransport->GetEsniUsed(&esni);
+    if (NS_SUCCEEDED(rv)) {
+      Telemetry::Accumulate(
+          Telemetry::ESNI_NOESNI_TLS_SUCCESS_RATE,
+          (esni)
+              ? ((handshakeSucceeded) ? ESNI_SUCCESSFUL : ESNI_FAILED)
+              : ((handshakeSucceeded) ? NO_ESNI_SUCCESSFUL : NO_ESNI_FAILED));
+    }
+  }
+
   if (rv == psm::GetXPCOMFromNSSError(
                 mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED)) {
     gSocketTransportService->SetNotTrustedMitmDetected();

netwerk/protocol/http/nsHttpConnectionInfo.cpp

@@ -339,7 +339,6 @@ already_AddRefed<nsHttpConnectionInfo> nsHttpConnectionInfo::Clone() const {
   clone->SetIPv4Disabled(GetIPv4Disabled());
   clone->SetIPv6Disabled(GetIPv6Disabled());
   clone->SetHasIPHintAddress(HasIPHintAddress());
-  clone->SetEchConfig(GetEchConfig());
   MOZ_ASSERT(clone->Equals(this));
 
   return clone.forget();
@@ -394,10 +393,6 @@ nsHttpConnectionInfo::CloneAndAdoptHTTPSSVCRecord(
     clone->SetHasIPHintAddress(hasIPHint);
   }
 
-  nsAutoCString echConfig;
-  Unused << aRecord->GetEchConfig(echConfig);
-  clone->SetEchConfig(echConfig);
-
   return clone.forget();
 }
 
@@ -426,7 +421,6 @@ void nsHttpConnectionInfo::SerializeHttpConnectionInfo(
   aArgs.topWindowOrigin() = aInfo->GetTopWindowOrigin();
   aArgs.isHttp3() = aInfo->IsHttp3();
   aArgs.hasIPHintAddress() = aInfo->HasIPHintAddress();
-  aArgs.echConfig() = aInfo->GetEchConfig();
 
   if (!aInfo->ProxyInfo()) {
     return;
@@ -471,7 +465,6 @@ nsHttpConnectionInfo::DeserializeHttpConnectionInfoCloneArgs(
   cinfo->SetIPv4Disabled(aInfoArgs.isIPv4Disabled());
   cinfo->SetIPv6Disabled(aInfoArgs.isIPv6Disabled());
   cinfo->SetHasIPHintAddress(aInfoArgs.hasIPHintAddress());
-  cinfo->SetEchConfig(aInfoArgs.echConfig());
 
   return cinfo.forget();
 }
@@ -498,7 +491,6 @@ void nsHttpConnectionInfo::CloneAsDirectRoute(nsHttpConnectionInfo** outCI) {
   clone->SetIPv4Disabled(GetIPv4Disabled());
   clone->SetIPv6Disabled(GetIPv6Disabled());
   clone->SetHasIPHintAddress(HasIPHintAddress());
-  clone->SetEchConfig(GetEchConfig());
 
   clone.forget(outCI);
 }

netwerk/protocol/http/nsHttpConnectionInfo.h

@@ -212,8 +212,6 @@ class nsHttpConnectionInfo final : public ARefBase {
   void SetHasIPHintAddress(bool aHasIPHint) { mHasIPHintAddress = aHasIPHint; }
   bool HasIPHintAddress() const { return mHasIPHintAddress; }
 
-  const nsCString& GetEchConfig() const { return mEchConfig; }
-
  private:
   // These constructor versions are intended to be used from Clone() and
   // DeserializeHttpConnectionInfoCloneArgs().
@@ -236,7 +234,6 @@ class nsHttpConnectionInfo final : public ARefBase {
             nsProxyInfo* proxyInfo, const OriginAttributes& originAttributes,
             bool EndToEndSSL, bool aIsHttp3);
   void SetOriginServer(const nsACString& host, int32_t port);
-  void SetEchConfig(const nsACString& aEchConfig) { mEchConfig = aEchConfig; }
 
   nsCString mOrigin;
   int32_t mOriginPort;
@@ -267,7 +264,6 @@ class nsHttpConnectionInfo final : public ARefBase {
   bool mIsHttp3;
 
   bool mHasIPHintAddress = false;
-  nsCString mEchConfig;
 
   // for RefPtr
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(nsHttpConnectionInfo, override)

netwerk/protocol/http/nsHttpConnectionMgr.cpp

@@ -4237,7 +4237,7 @@ nsresult nsHttpConnectionMgr::nsHalfOpenSocket::SetupStreams(
   }
 
   if (ci->GetLessThanTls13()) {
-    tmpFlags |= nsISocketTransport::DONT_TRY_ECH;
+    tmpFlags |= nsISocketTransport::DONT_TRY_ESNI;
   }
 
   if (((mCaps & NS_HTTP_BE_CONSERVATIVE) || ci->GetBeConservative()) &&
@@ -4330,11 +4330,6 @@ nsresult nsHttpConnectionMgr::nsHalfOpenSocket::SetupStreams(
   rv = socketTransport->SetSecurityCallbacks(this);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (gHttpHandler->EchConfigEnabled()) {
-    rv = socketTransport->SetEchConfig(ci->GetEchConfig());
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
   Telemetry::Accumulate(Telemetry::HTTP_CONNECTION_ENTRY_CACHE_HIT_1,
                         mEnt->mUsedForConnection);
   mEnt->mUsedForConnection = true;

netwerk/protocol/http/nsHttpHandler.cpp

@@ -3028,8 +3028,4 @@ bool nsHttpHandler::UseHTTPSRRAsAltSvcEnabled() const {
   return StaticPrefs::network_dns_use_https_rr_as_altsvc();
 }
 
-bool nsHttpHandler::EchConfigEnabled() const {
-  return StaticPrefs::network_dns_echconfig_enabled();
-}
-
 }  // namespace mozilla::net

netwerk/protocol/http/nsHttpHandler.h

@@ -507,8 +507,6 @@ class nsHttpHandler final : public nsIHttpProtocolHandler,
 
   bool UseHTTPSRRAsAltSvcEnabled() const;
 
-  bool EchConfigEnabled() const;
-
  private:
   nsHttpHandler();
 

netwerk/socket/nsISSLSocketControl.idl

@@ -146,10 +146,10 @@ interface nsISSLSocketControl : nsISupports {
     [infallible] readonly attribute boolean failedVerification;
 
     /*
-     * echConfig is defined for conveying the ECH configuration.
-     * This is encoded in base64.
+     * esniTxt is a string that consists of the concatenated _esni. TXT records.
+     * This is a base64 encoded ESNIKeys structure.
      */
-    attribute ACString echConfig;
+    attribute ACString esniTxt;
 
     /**
      * The id used to uniquely identify the connection to the peer.

netwerk/test/unit/test_httpssvc_priority.js

@@ -1,235 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
-
-let prefs;
-let h2Port;
-
-const dns = Cc["@mozilla.org/network/dns-service;1"].getService(
-  Ci.nsIDNSService
-);
-const certOverrideService = Cc[
-  "@mozilla.org/security/certoverride;1"
-].getService(Ci.nsICertOverrideService);
-const threadManager = Cc["@mozilla.org/thread-manager;1"].getService(
-  Ci.nsIThreadManager
-);
-const mainThread = threadManager.currentThread;
-
-const defaultOriginAttributes = {};
-
-function setup() {
-  let env = Cc["@mozilla.org/process/environment;1"].getService(
-    Ci.nsIEnvironment
-  );
-  h2Port = env.get("MOZHTTP2_PORT");
-  Assert.notEqual(h2Port, null);
-  Assert.notEqual(h2Port, "");
-
-  // Set to allow the cert presented by our H2 server
-  do_get_profile();
-  prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
-
-  prefs.setBoolPref("network.security.esni.enabled", false);
-  prefs.setBoolPref("network.http.spdy.enabled", true);
-  prefs.setBoolPref("network.http.spdy.enabled.http2", true);
-  // the TRR server is on 127.0.0.1
-  prefs.setCharPref("network.trr.bootstrapAddress", "127.0.0.1");
-
-  // make all native resolve calls "secretly" resolve localhost instead
-  prefs.setBoolPref("network.dns.native-is-localhost", true);
-
-  // 0 - off, 1 - race, 2 TRR first, 3 TRR only, 4 shadow
-  prefs.setIntPref("network.trr.mode", 2); // TRR first
-  prefs.setBoolPref("network.trr.wait-for-portal", false);
-  // don't confirm that TRR is working, just go!
-  prefs.setCharPref("network.trr.confirmationNS", "skip");
-
-  // So we can change the pref without clearing the cache to check a pushed
-  // record with a TRR path that fails.
-  Services.prefs.setBoolPref("network.trr.clear-cache-on-pref-change", false);
-
-  // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem
-  // so add that cert to the trust list as a signing cert.  // the foo.example.com domain name.
-  const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-}
-
-setup();
-registerCleanupFunction(() => {
-  prefs.clearUserPref("network.security.esni.enabled");
-  prefs.clearUserPref("network.http.spdy.enabled");
-  prefs.clearUserPref("network.http.spdy.enabled.http2");
-  prefs.clearUserPref("network.dns.localDomains");
-  prefs.clearUserPref("network.dns.native-is-localhost");
-  prefs.clearUserPref("network.trr.mode");
-  prefs.clearUserPref("network.trr.uri");
-  prefs.clearUserPref("network.trr.credentials");
-  prefs.clearUserPref("network.trr.wait-for-portal");
-  prefs.clearUserPref("network.trr.allow-rfc1918");
-  prefs.clearUserPref("network.trr.useGET");
-  prefs.clearUserPref("network.trr.confirmationNS");
-  prefs.clearUserPref("network.trr.bootstrapAddress");
-  prefs.clearUserPref("network.trr.request-timeout");
-  prefs.clearUserPref("network.trr.clear-cache-on-pref-change");
-  prefs.clearUserPref("network.dns.echconfig.enabled");
-});
-
-class DNSListener {
-  constructor() {
-    this.promise = new Promise(resolve => {
-      this.resolve = resolve;
-    });
-  }
-  onLookupComplete(inRequest, inRecord, inStatus) {
-    this.resolve([inRequest, inRecord, inStatus]);
-  }
-  // So we can await this as a promise.
-  then() {
-    return this.promise.then.apply(this.promise, arguments);
-  }
-}
-
-DNSListener.prototype.QueryInterface = ChromeUtils.generateQI([
-  "nsIDNSListener",
-]);
-
-add_task(async function testPriorityAndECHConfig() {
-  let trrServer = new TRRServer();
-  registerCleanupFunction(async () => trrServer.stop());
-  await trrServer.start();
-
-  Services.prefs.setBoolPref("network.dns.echconfig.enabled", false);
-  Services.prefs.setIntPref("network.trr.mode", 3);
-  Services.prefs.setCharPref(
-    "network.trr.uri",
-    `https://foo.example.com:${trrServer.port}/dns-query`
-  );
-
-  await trrServer.registerDoHAnswers("test.priority.com", "HTTPS", [
-    {
-      name: "test.priority.com",
-      ttl: 55,
-      type: "HTTPS",
-      flush: false,
-      data: {
-        priority: 1,
-        name: "test.p1.com",
-        values: [{ key: "alpn", value: "h2,h3" }],
-      },
-    },
-    {
-      name: "test.priority.com",
-      ttl: 55,
-      type: "HTTPS",
-      flush: false,
-      data: {
-        priority: 4,
-        name: "test.p4.com",
-        values: [{ key: "echconfig", value: "456..." }],
-      },
-    },
-    {
-      name: "test.priority.com",
-      ttl: 55,
-      type: "HTTPS",
-      flush: false,
-      data: {
-        priority: 3,
-        name: "test.p3.com",
-        values: [{ key: "ipv4hint", value: "1.2.3.4" }],
-      },
-    },
-    {
-      name: "test.priority.com",
-      ttl: 55,
-      type: "HTTPS",
-      flush: false,
-      data: {
-        priority: 2,
-        name: "test.p2.com",
-        values: [{ key: "echconfig", value: "123..." }],
-      },
-    },
-  ]);
-
-  let listener = new DNSListener();
-
-  let request = dns.asyncResolve(
-    "test.priority.com",
-    dns.RESOLVE_TYPE_HTTPSSVC,
-    0,
-    null, // resolverInfo
-    listener,
-    mainThread,
-    defaultOriginAttributes
-  );
-
-  let [inRequest, inRecord, inStatus] = await listener;
-  Assert.equal(inRequest, request, "correct request was used");
-  Assert.equal(inStatus, Cr.NS_OK, "status OK");
-
-  let answer = inRecord.QueryInterface(Ci.nsIDNSHTTPSSVCRecord).records;
-  Assert.equal(answer.length, 4);
-
-  Assert.equal(answer[0].priority, 1);
-  Assert.equal(answer[0].name, "test.p1.com");
-
-  Assert.equal(answer[1].priority, 2);
-  Assert.equal(answer[1].name, "test.p2.com");
-
-  Assert.equal(answer[2].priority, 3);
-  Assert.equal(answer[2].name, "test.p3.com");
-
-  Assert.equal(answer[3].priority, 4);
-  Assert.equal(answer[3].name, "test.p4.com");
-
-  Services.prefs.setBoolPref("network.dns.echconfig.enabled", true);
-  dns.clearCache(true);
-  listener = new DNSListener();
-
-  request = dns.asyncResolve(
-    "test.priority.com",
-    dns.RESOLVE_TYPE_HTTPSSVC,
-    0,
-    null, // resolverInfo
-    listener,
-    mainThread,
-    defaultOriginAttributes
-  );
-
-  [inRequest, inRecord, inStatus] = await listener;
-  Assert.equal(inRequest, request, "correct request was used");
-  Assert.equal(inStatus, Cr.NS_OK, "status OK");
-
-  answer = inRecord.QueryInterface(Ci.nsIDNSHTTPSSVCRecord).records;
-  Assert.equal(answer.length, 4);
-
-  Assert.equal(answer[0].priority, 2);
-  Assert.equal(answer[0].name, "test.p2.com");
-  Assert.equal(
-    answer[0].values[0].QueryInterface(Ci.nsISVCParamEchConfig).echconfig,
-    "123...",
-    "got correct answer"
-  );
-
-  Assert.equal(answer[1].priority, 4);
-  Assert.equal(answer[1].name, "test.p4.com");
-  Assert.equal(
-    answer[1].values[0].QueryInterface(Ci.nsISVCParamEchConfig).echconfig,
-    "456...",
-    "got correct answer"
-  );
-
-  Assert.equal(answer[2].priority, 1);
-  Assert.equal(answer[2].name, "test.p1.com");
-
-  Assert.equal(answer[3].priority, 3);
-  Assert.equal(answer[3].name, "test.p3.com");
-});

netwerk/test/unit/xpcshell.ini

@@ -460,5 +460,3 @@ skip-if = os == "android"
 skip-if = os == "android"
 [test_httpssvc_iphint.js]
 skip-if = os == "android"
-[test_httpssvc_priority.js]
-skip-if = os == "android"

security/manager/ssl/CommonSocketControl.cpp

@@ -276,12 +276,12 @@ CommonSocketControl::GetFailedVerification(bool* arg) {
 }
 
 NS_IMETHODIMP
-CommonSocketControl::GetEchConfig(nsACString& aEchConfig) {
+CommonSocketControl::GetEsniTxt(nsACString& aEsniTxt) {
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 
 NS_IMETHODIMP
-CommonSocketControl::SetEchConfig(const nsACString& aEchConfig) {
+CommonSocketControl::SetEsniTxt(const nsACString& aEsniTxt) {
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 

security/manager/ssl/nsNSSIOLayer.cpp

@@ -697,35 +697,33 @@ PRStatus nsNSSSocketInfo::CloseSocketAndDestroy() {
 }
 
 NS_IMETHODIMP
-nsNSSSocketInfo::GetEchConfig(nsACString& aEchConfig) {
-  aEchConfig = mEchConfig;
+nsNSSSocketInfo::GetEsniTxt(nsACString& aEsniTxt) {
+  aEsniTxt = mEsniTxt;
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsNSSSocketInfo::SetEchConfig(const nsACString& aEchConfig) {
-  mEchConfig = aEchConfig;
+nsNSSSocketInfo::SetEsniTxt(const nsACString& aEsniTxt) {
+  mEsniTxt = aEsniTxt;
 
-#if 0
-  if (mEchConfig.Length()) {
-    nsAutoCString echBin;
-    if (NS_OK != Base64Decode(mEchConfig, echBin)) {
+  if (mEsniTxt.Length()) {
+    nsAutoCString esniBin;
+    if (NS_OK != Base64Decode(mEsniTxt, esniBin)) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Error,
-              ("[%p] Invalid EchConfig record. Couldn't base64 decode\n",
+              ("[%p] Invalid ESNIKeys record. Couldn't base64 decode\n",
                (void*)mFd));
       return NS_OK;
     }
 
-    if (SECSuccess != SSL_SetClientEchConfigs(
-                          mFd, reinterpret_cast<const PRUint8*>(echBin.get()),
-                          echBin.Length())) {
+    if (SECSuccess !=
+        SSL_EnableESNI(mFd, reinterpret_cast<const PRUint8*>(esniBin.get()),
+                       esniBin.Length(), nullptr)) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Error,
-              ("[%p] Invalid EchConfig record %s\n", (void*)mFd,
+              ("[%p] Invalid ESNIKeys record %s\n", (void*)mFd,
                PR_ErrorToName(PR_GetError())));
       return NS_OK;
     }
   }
-#endif
 
   return NS_OK;
 }

security/manager/ssl/nsNSSIOLayer.h

@@ -66,8 +66,8 @@ class nsNSSSocketInfo final : public CommonSocketControl {
   void SetDenyClientCert(bool aDenyClientCert) override;
   NS_IMETHOD GetClientCert(nsIX509Cert** aClientCert) override;
   NS_IMETHOD SetClientCert(nsIX509Cert* aClientCert) override;
-  NS_IMETHOD GetEchConfig(nsACString& aEchConfig) override;
-  NS_IMETHOD SetEchConfig(const nsACString& aEchConfig) override;
+  NS_IMETHOD GetEsniTxt(nsACString& aEsniTxt) override;
+  NS_IMETHOD SetEsniTxt(const nsACString& aEsniTxt) override;
   NS_IMETHOD GetPeerId(nsACString& aResult) override;
 
   PRStatus CloseSocketAndDestroy();
@@ -180,7 +180,7 @@ class nsNSSSocketInfo final : public CommonSocketControl {
 
   nsresult ActivateSSL();
 
-  nsCString mEchConfig;
+  nsCString mEsniTxt;
   nsCString mPeerId;
   bool mEarlyDataAccepted;
   bool mDenyClientCert;