1 files changed, 22 insertions, 58 deletions

diff --git a/netwerk/protocol/webtransport/WebTransportSessionProxy.cpp b/netwerk/protocol/webtransport/WebTransportSessionProxy.cpp
index e650a74d5b..dd4ba7e7d0 100644
--- a/netwerk/protocol/webtransport/WebTransportSessionProxy.cpp
+++ b/netwerk/protocol/webtransport/WebTransportSessionProxy.cpp
@@ -27,7 +27,8 @@ namespace mozilla::net {
 LazyLogModule webTransportLog("nsWebTransport");
 
 NS_IMPL_ISUPPORTS(WebTransportSessionProxy, WebTransportSessionEventListener,
-                  nsIWebTransport, nsIRedirectResultListener, nsIStreamListener,
+                  WebTransportConnectionSettings, nsIWebTransport,
+                  nsIRedirectResultListener, nsIStreamListener,
                   nsIChannelEventSink, nsIInterfaceRequestor);
 
 WebTransportSessionProxy::WebTransportSessionProxy()
@@ -63,17 +64,17 @@ WebTransportSessionProxy::~WebTransportSessionProxy() {
 //-----------------------------------------------------------------------------
 
 nsresult WebTransportSessionProxy::AsyncConnect(
-    nsIURI* aURI,
+    nsIURI* aURI, bool aDedicated,
     const nsTArray<RefPtr<nsIWebTransportHash>>& aServerCertHashes,
     nsIPrincipal* aPrincipal, uint32_t aSecurityFlags,
     WebTransportSessionEventListener* aListener) {
-  return AsyncConnectWithClient(aURI, std::move(aServerCertHashes), aPrincipal,
-                                aSecurityFlags, aListener,
+  return AsyncConnectWithClient(aURI, aDedicated, std::move(aServerCertHashes),
+                                aPrincipal, aSecurityFlags, aListener,
                                 Maybe<dom::ClientInfo>());
 }
 
 nsresult WebTransportSessionProxy::AsyncConnectWithClient(
-    nsIURI* aURI,
+    nsIURI* aURI, bool aDedicated,
     const nsTArray<RefPtr<nsIWebTransportHash>>& aServerCertHashes,
     nsIPrincipal* aPrincipal, uint32_t aSecurityFlags,
     WebTransportSessionEventListener* aListener,
@@ -126,7 +127,10 @@ nsresult WebTransportSessionProxy::AsyncConnectWithClient(
     return NS_ERROR_ABORT;
   }
 
+  mDedicatedConnection = aDedicated;
+
   if (!aServerCertHashes.IsEmpty()) {
+    mServerCertHashes.Clear();
     mServerCertHashes.AppendElements(aServerCertHashes);
   }
 
@@ -235,6 +239,18 @@ WebTransportSessionProxy::CloseSession(uint32_t status,
   return NS_OK;
 }
 
+NS_IMETHODIMP WebTransportSessionProxy::GetDedicated(bool* dedicated) {
+  *dedicated = mDedicatedConnection;
+  return NS_OK;
+}
+
+NS_IMETHODIMP WebTransportSessionProxy::GetServerCertificateHashes(
+    nsTArray<RefPtr<nsIWebTransportHash>>& aServerCertHashes) {
+  aServerCertHashes.Clear();
+  aServerCertHashes.AppendElements(mServerCertHashes);
+  return NS_OK;
+}
+
 void WebTransportSessionProxy::CloseSessionInternalLocked() {
   MutexAutoLock lock(mMutex);
   CloseSessionInternal();
@@ -573,8 +589,7 @@ WebTransportSessionProxy::OnStartRequest(nsIRequest* aRequest) {
         nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(mChannel);
         if (!httpChannel ||
             NS_FAILED(httpChannel->GetResponseStatus(&status)) ||
-            !(status >= 200 && status < 300) ||
-            !CheckServerCertificateIfNeeded()) {
+            !(status >= 200 && status < 300)) {
           listener = mListener;
           mListener = nullptr;
           mChannel = nullptr;
@@ -990,57 +1005,6 @@ void WebTransportSessionProxy::CallOnSessionClosed() {
   }
 }
 
-bool WebTransportSessionProxy::CheckServerCertificateIfNeeded() {
-  if (mServerCertHashes.IsEmpty()) {
-    return true;
-  }
-
-  nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(mChannel);
-  MOZ_ASSERT(httpChannel, "Not a http channel ?");
-  nsCOMPtr<nsITransportSecurityInfo> tsi;
-  httpChannel->GetSecurityInfo(getter_AddRefs(tsi));
-  MOZ_ASSERT(tsi,
-             "We shouln't reach this code before setting the security info.");
-  nsCOMPtr<nsIX509Cert> cert;
-  nsresult rv = tsi->GetServerCert(getter_AddRefs(cert));
-  if (!cert || NS_WARN_IF(NS_FAILED(rv))) return true;
-  nsTArray<uint8_t> certDER;
-  if (NS_FAILED(cert->GetRawDER(certDER))) {
-    return false;
-  }
-  // https://w3c.github.io/webtransport/#compute-a-certificate-hash
-  nsTArray<uint8_t> certHash;
-  if (NS_FAILED(Digest::DigestBuf(SEC_OID_SHA256, certDER.Elements(),
-                                  certDER.Length(), certHash)) ||
-      certHash.Length() != SHA256_LENGTH) {
-    return false;
-  }
-  auto verifyCertDer = [&certHash](const auto& hash) {
-    return certHash.Length() == hash.Length() &&
-           memcmp(certHash.Elements(), hash.Elements(), certHash.Length()) == 0;
-  };
-
-  // https://w3c.github.io/webtransport/#verify-a-certificate-hash
-  for (const auto& hash : mServerCertHashes) {
-    nsCString algorithm;
-    if (NS_FAILED(hash->GetAlgorithm(algorithm)) || algorithm != "sha-256") {
-      continue;
-      LOG(("Unexpected non-SHA-256 hash"));
-    }
-
-    nsTArray<uint8_t> value;
-    if (NS_FAILED(hash->GetValue(value))) {
-      continue;
-      LOG(("Unexpected corrupted hash"));
-    }
-
-    if (verifyCertDer(value)) {
-      return true;
-    }
-  }
-  return false;
-}
-
 void WebTransportSessionProxy::ChangeState(
     WebTransportSessionProxyState newState) {
   mMutex.AssertCurrentThreadOwns();