зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1669679 - Rebuild cert-info when a resumption token is used for HTTP3 r=keeler,necko-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D93359
This commit is contained in:
Dragana Damjanovic
Родитель
3f58b11a29
Коммит
f4599c1e24
|
|
@ -1569,6 +1569,11 @@ void Http3Session::SetSecInfo() {
|
|||
mSocketControl->SetInfo(secInfo.cipher, secInfo.version, secInfo.group,
|
||||
secInfo.signature_scheme);
|
||||
}
|
||||
|
||||
if (!mSocketControl->HasServerCert() &&
|
||||
StaticPrefs::network_ssl_tokens_cache_enabled()) {
|
||||
mSocketControl->RebuildCertificateInfoFromSSLTokenCache();
|
||||
}
|
||||
}
|
||||
|
||||
void Http3Session::CloseConnectionTelemetry(CloseError& aError, bool aClosing) {
|
||||
|
|
|
|||
|
|
@ -13,9 +13,12 @@
|
|||
#include "SharedSSLState.h"
|
||||
#include "sslt.h"
|
||||
#include "ssl.h"
|
||||
#include "mozilla/net/SSLTokensCache.h"
|
||||
|
||||
using namespace mozilla;
|
||||
|
||||
extern LazyLogModule gPIPNSSLog;
|
||||
|
||||
NS_IMPL_ISUPPORTS_INHERITED(CommonSocketControl, TransportSecurityInfo,
|
||||
nsISSLSocketControl)
|
||||
|
||||
|
|
@ -214,6 +217,39 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
void CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache() {
|
||||
nsAutoCString key;
|
||||
GetPeerId(key);
|
||||
mozilla::net::SessionCacheInfo info;
|
||||
if (!mozilla::net::SSLTokensCache::GetSessionCacheInfo(key, info)) {
|
||||
MOZ_LOG(
|
||||
gPIPNSSLog, LogLevel::Debug,
|
||||
("CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache cannot "
|
||||
"find cached info."));
|
||||
return;
|
||||
}
|
||||
|
||||
RefPtr<nsNSSCertificate> nssc = nsNSSCertificate::ConstructFromDER(
|
||||
BitwiseCast<char*, uint8_t*>(info.mServerCertBytes.Elements()),
|
||||
info.mServerCertBytes.Length());
|
||||
if (!nssc) {
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
||||
("RebuildCertificateInfoFromSSLTokenCache failed to construct "
|
||||
"server cert"));
|
||||
return;
|
||||
}
|
||||
|
||||
SetServerCert(nssc, info.mEVStatus);
|
||||
SetCertificateTransparencyStatus(info.mCertificateTransparencyStatus);
|
||||
if (info.mSucceededCertChainBytes) {
|
||||
SetSucceededCertChain(std::move(*info.mSucceededCertChainBytes));
|
||||
}
|
||||
|
||||
if (info.mIsBuiltCertChainRootBuiltInRoot) {
|
||||
SetIsBuiltCertChainRootBuiltInRoot(*info.mIsBuiltCertChainRootBuiltInRoot);
|
||||
}
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
CommonSocketControl::GetKEAUsed(int16_t* aKEAUsed) {
|
||||
return NS_ERROR_NOT_IMPLEMENTED;
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ class CommonSocketControl : public mozilla::psm::TransportSecurityInfo,
|
|||
|
||||
uint32_t GetProviderFlags() const { return mProviderFlags; }
|
||||
void SetSSLVersionUsed(int16_t version) { mSSLVersionUsed = version; }
|
||||
void RebuildCertificateInfoFromSSLTokenCache();
|
||||
|
||||
protected:
|
||||
~CommonSocketControl() = default;
|
||||
|
|
|
|||
|
|
@ -1212,48 +1212,6 @@ nsresult IsCertificateDistrustImminent(
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
static void RebuildCertificateInfoFromSSLTokenCache(
|
||||
nsNSSSocketInfo* aInfoObject) {
|
||||
MOZ_ASSERT(aInfoObject);
|
||||
|
||||
if (!aInfoObject) {
|
||||
return;
|
||||
}
|
||||
|
||||
nsAutoCString key;
|
||||
aInfoObject->GetPeerId(key);
|
||||
mozilla::net::SessionCacheInfo info;
|
||||
if (!mozilla::net::SSLTokensCache::GetSessionCacheInfo(key, info)) {
|
||||
MOZ_LOG(
|
||||
gPIPNSSLog, LogLevel::Debug,
|
||||
("RebuildCertificateInfoFromSSLTokenCache cannot find cached info."));
|
||||
return;
|
||||
}
|
||||
|
||||
RefPtr<nsNSSCertificate> nssc = nsNSSCertificate::ConstructFromDER(
|
||||
BitwiseCast<char*, uint8_t*>(info.mServerCertBytes.Elements()),
|
||||
info.mServerCertBytes.Length());
|
||||
if (!nssc) {
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
||||
("RebuildCertificateInfoFromSSLTokenCache failed to construct "
|
||||
"server cert"));
|
||||
return;
|
||||
}
|
||||
|
||||
aInfoObject->SetServerCert(nssc, info.mEVStatus);
|
||||
aInfoObject->SetCertificateTransparencyStatus(
|
||||
info.mCertificateTransparencyStatus);
|
||||
if (info.mSucceededCertChainBytes) {
|
||||
aInfoObject->SetSucceededCertChain(
|
||||
std::move(*info.mSucceededCertChainBytes));
|
||||
}
|
||||
|
||||
if (info.mIsBuiltCertChainRootBuiltInRoot) {
|
||||
aInfoObject->SetIsBuiltCertChainRootBuiltInRoot(
|
||||
*info.mIsBuiltCertChainRootBuiltInRoot);
|
||||
}
|
||||
}
|
||||
|
||||
void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
||||
SECStatus rv;
|
||||
|
||||
|
|
@ -1392,7 +1350,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
|||
("HandshakeCallback KEEPING existing cert\n"));
|
||||
} else {
|
||||
if (StaticPrefs::network_ssl_tokens_cache_enabled()) {
|
||||
RebuildCertificateInfoFromSSLTokenCache(infoObject);
|
||||
infoObject->RebuildCertificateInfoFromSSLTokenCache();
|
||||
} else {
|
||||
RebuildVerifiedCertificateInformation(fd, infoObject);
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче