diff --git a/netwerk/protocol/http/Http3Session.cpp b/netwerk/protocol/http/Http3Session.cpp index c93de305b186..3da032f0cb8c 100644 --- a/netwerk/protocol/http/Http3Session.cpp +++ b/netwerk/protocol/http/Http3Session.cpp @@ -1569,6 +1569,11 @@ void Http3Session::SetSecInfo() { mSocketControl->SetInfo(secInfo.cipher, secInfo.version, secInfo.group, secInfo.signature_scheme); } + + if (!mSocketControl->HasServerCert() && + StaticPrefs::network_ssl_tokens_cache_enabled()) { + mSocketControl->RebuildCertificateInfoFromSSLTokenCache(); + } } void Http3Session::CloseConnectionTelemetry(CloseError& aError, bool aClosing) { diff --git a/security/manager/ssl/CommonSocketControl.cpp b/security/manager/ssl/CommonSocketControl.cpp index d87f3305c1a9..5f42575da4bb 100644 --- a/security/manager/ssl/CommonSocketControl.cpp +++ b/security/manager/ssl/CommonSocketControl.cpp @@ -13,9 +13,12 @@ #include "SharedSSLState.h" #include "sslt.h" #include "ssl.h" +#include "mozilla/net/SSLTokensCache.h" using namespace mozilla; +extern LazyLogModule gPIPNSSLog; + NS_IMPL_ISUPPORTS_INHERITED(CommonSocketControl, TransportSecurityInfo, nsISSLSocketControl) @@ -214,6 +217,39 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname, return NS_OK; } +void CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache() { + nsAutoCString key; + GetPeerId(key); + mozilla::net::SessionCacheInfo info; + if (!mozilla::net::SSLTokensCache::GetSessionCacheInfo(key, info)) { + MOZ_LOG( + gPIPNSSLog, LogLevel::Debug, + ("CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache cannot " + "find cached info.")); + return; + } + + RefPtr nssc = nsNSSCertificate::ConstructFromDER( + BitwiseCast(info.mServerCertBytes.Elements()), + info.mServerCertBytes.Length()); + if (!nssc) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("RebuildCertificateInfoFromSSLTokenCache failed to construct " + "server cert")); + return; + } + + SetServerCert(nssc, info.mEVStatus); + SetCertificateTransparencyStatus(info.mCertificateTransparencyStatus); + if (info.mSucceededCertChainBytes) { + SetSucceededCertChain(std::move(*info.mSucceededCertChainBytes)); + } + + if (info.mIsBuiltCertChainRootBuiltInRoot) { + SetIsBuiltCertChainRootBuiltInRoot(*info.mIsBuiltCertChainRootBuiltInRoot); + } +} + NS_IMETHODIMP CommonSocketControl::GetKEAUsed(int16_t* aKEAUsed) { return NS_ERROR_NOT_IMPLEMENTED; diff --git a/security/manager/ssl/CommonSocketControl.h b/security/manager/ssl/CommonSocketControl.h index 745aee1e1773..4afd79d2d04d 100644 --- a/security/manager/ssl/CommonSocketControl.h +++ b/security/manager/ssl/CommonSocketControl.h @@ -20,6 +20,7 @@ class CommonSocketControl : public mozilla::psm::TransportSecurityInfo, uint32_t GetProviderFlags() const { return mProviderFlags; } void SetSSLVersionUsed(int16_t version) { mSSLVersionUsed = version; } + void RebuildCertificateInfoFromSSLTokenCache(); protected: ~CommonSocketControl() = default; diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp index 73272391e4dd..91974af1559d 100644 --- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -1212,48 +1212,6 @@ nsresult IsCertificateDistrustImminent( return NS_OK; } -static void RebuildCertificateInfoFromSSLTokenCache( - nsNSSSocketInfo* aInfoObject) { - MOZ_ASSERT(aInfoObject); - - if (!aInfoObject) { - return; - } - - nsAutoCString key; - aInfoObject->GetPeerId(key); - mozilla::net::SessionCacheInfo info; - if (!mozilla::net::SSLTokensCache::GetSessionCacheInfo(key, info)) { - MOZ_LOG( - gPIPNSSLog, LogLevel::Debug, - ("RebuildCertificateInfoFromSSLTokenCache cannot find cached info.")); - return; - } - - RefPtr nssc = nsNSSCertificate::ConstructFromDER( - BitwiseCast(info.mServerCertBytes.Elements()), - info.mServerCertBytes.Length()); - if (!nssc) { - MOZ_LOG(gPIPNSSLog, LogLevel::Debug, - ("RebuildCertificateInfoFromSSLTokenCache failed to construct " - "server cert")); - return; - } - - aInfoObject->SetServerCert(nssc, info.mEVStatus); - aInfoObject->SetCertificateTransparencyStatus( - info.mCertificateTransparencyStatus); - if (info.mSucceededCertChainBytes) { - aInfoObject->SetSucceededCertChain( - std::move(*info.mSucceededCertChainBytes)); - } - - if (info.mIsBuiltCertChainRootBuiltInRoot) { - aInfoObject->SetIsBuiltCertChainRootBuiltInRoot( - *info.mIsBuiltCertChainRootBuiltInRoot); - } -} - void HandshakeCallback(PRFileDesc* fd, void* client_data) { SECStatus rv; @@ -1392,7 +1350,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { ("HandshakeCallback KEEPING existing cert\n")); } else { if (StaticPrefs::network_ssl_tokens_cache_enabled()) { - RebuildCertificateInfoFromSSLTokenCache(infoObject); + infoObject->RebuildCertificateInfoFromSSLTokenCache(); } else { RebuildVerifiedCertificateInformation(fd, infoObject); }