Bug 1925014 - Disallow HTTP/3 when third party root is found, r=necko-reviewers,keeler,valentin

Differential Revision: https://phabricator.services.mozilla.com/D225788

modules/libpref/init/StaticPrefList.yaml

@@ -13993,6 +13993,19 @@
   mirror: always
   rust: true
 
+# When true, HTTP/3 will be disabled when third party roots are found.
+- name: network.http.http3.disable_when_third_party_roots_found
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
+# Only used for testing purposes. In automation, this value is used to override
+# the result of third party roots check.
+- name: network.http.http3.has_third_party_roots_found_in_automation
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
 # When true, a http request will be upgraded to https when HTTPS RR is
 # available.
 - name: network.dns.upgrade_with_https_rr

netwerk/base/nsNetUtil.cpp

@@ -2777,6 +2777,7 @@ void net_EnsurePSMInit() {
 
   DebugOnly<bool> rv = EnsureNSSInitializedChromeOrContent();
   MOZ_ASSERT(rv);
+  nsHttpHandler::CheckThirdPartyRoots();
 }
 
 bool NS_IsAboutBlank(nsIURI* uri) {

netwerk/protocol/http/nsHttpHandler.cpp

@@ -57,6 +57,7 @@
 #include "nsSocketTransportService2.h"
 #include "nsIOService.h"
 #include "nsISupportsPrimitives.h"
+#include "nsIX509CertDB.h"
 #include "nsIXULRuntime.h"
 #include "nsCharSeparatedTokenizer.h"
 #include "nsRFPService.h"
@@ -189,6 +190,35 @@ static bool IsRunningUnderUbuntuSnap() {
 
 StaticRefPtr<nsHttpHandler> gHttpHandler;
 
+// Assume we have third party roots. This will be updated after
+// CheckThirdPartyRoots() is called.
+static Atomic<bool, Relaxed> sHasThirdPartyRoots(true);
+static Atomic<bool, Relaxed> sHasThirdPartyRootsChecked(false);
+
+class HasThirdPartyRootsCallback : public nsIAsyncBoolCallback {
+ public:
+  NS_DECL_THREADSAFE_ISUPPORTS
+  NS_DECL_NSIASYNCBOOLCALLBACK
+
+  HasThirdPartyRootsCallback() = default;
+
+ private:
+  virtual ~HasThirdPartyRootsCallback() = default;
+};
+
+NS_IMPL_ISUPPORTS(HasThirdPartyRootsCallback, nsIAsyncBoolCallback)
+
+NS_IMETHODIMP
+HasThirdPartyRootsCallback::OnResult(bool aResult) {
+  sHasThirdPartyRoots =
+      (xpc::IsInAutomation() || PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR"))
+          ? StaticPrefs::
+                network_http_http3_has_third_party_roots_found_in_automation()
+          : aResult;
+  LOG(("nsHttpHandler::sHasThirdPartyRoots:%d", (bool)sHasThirdPartyRoots));
+  return NS_OK;
+}
+
 /* static */
 already_AddRefed<nsHttpHandler> nsHttpHandler::GetInstance() {
   if (!gHttpHandler) {
@@ -553,6 +583,20 @@ void nsHttpHandler::UpdateParentalControlsEnabled(bool waitForCompletion) {
   }
 }
 
+// static
+void nsHttpHandler::CheckThirdPartyRoots() {
+  if (!StaticPrefs::network_http_http3_disable_when_third_party_roots_found() ||
+      sHasThirdPartyRootsChecked) {
+    return;
+  }
+
+  sHasThirdPartyRootsChecked = true;
+  nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID);
+  if (certDB) {
+    Unused << certDB->AsyncHasThirdPartyRoots(new HasThirdPartyRootsCallback());
+  }
+}
+
 const nsCString& nsHttpHandler::Http3QlogDir() {
   if (StaticPrefs::network_http_http3_enable_qlog()) {
     return mHttp3QlogDir;
@@ -2700,7 +2744,10 @@ bool nsHttpHandler::IsHttp3Enabled() {
   static const uint32_t TLS3_PREF_VALUE = 4;
 
   return StaticPrefs::network_http_http3_enable() &&
-         (StaticPrefs::security_tls_version_max() >= TLS3_PREF_VALUE);
+         (StaticPrefs::security_tls_version_max() >= TLS3_PREF_VALUE) &&
+         (StaticPrefs::network_http_http3_disable_when_third_party_roots_found()
+              ? !sHasThirdPartyRoots
+              : true);
 }
 
 bool nsHttpHandler::IsHttp3VersionSupported(const nsACString& version) {

netwerk/protocol/http/nsHttpHandler.h

@@ -506,6 +506,7 @@ class nsHttpHandler final : public nsIHttpProtocolHandler,
 
   static bool GetParentalControlsEnabled() { return sParentalControlsEnabled; }
   static void UpdateParentalControlsEnabled(bool waitForCompletion);
+  static void CheckThirdPartyRoots();
 
  private:
   nsHttpHandler();