Bug 1758155 - Remove some PSM actos from PBackground, r=keeler,nika,necko-reviewers,jesup

Differential Revision: https://phabricator.services.mozilla.com/D182996

ipc/glue/BackgroundParentImpl.cpp

@@ -67,9 +67,6 @@
 #include "mozilla/net/HttpBackgroundChannelParent.h"
 #include "mozilla/net/HttpConnectionMgrParent.h"
 #include "mozilla/net/WebSocketConnectionParent.h"
-#include "mozilla/psm/IPCClientCertsParent.h"
-#include "mozilla/psm/SelectTLSClientAuthCertParent.h"
-#include "mozilla/psm/VerifySSLServerCertParent.h"
 #include "nsIHttpChannelInternal.h"
 #include "nsIPrincipal.h"
 #include "nsProxyRelease.h"
@@ -731,68 +728,6 @@ bool BackgroundParentImpl::DeallocPUDPSocketParent(PUDPSocketParent* actor) {
   return true;
 }
 
-already_AddRefed<mozilla::psm::PVerifySSLServerCertParent>
-BackgroundParentImpl::AllocPVerifySSLServerCertParent(
-    const nsTArray<ByteArray>& aPeerCertChain, const nsACString& aHostName,
-    const int32_t& aPort, const OriginAttributes& aOriginAttributes,
-    const Maybe<ByteArray>& aStapledOCSPResponse,
-    const Maybe<ByteArray>& aSctsFromTLSExtension,
-    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
-    const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
-  RefPtr<mozilla::psm::VerifySSLServerCertParent> parent =
-      new mozilla::psm::VerifySSLServerCertParent();
-  return parent.forget();
-}
-
-mozilla::ipc::IPCResult
-BackgroundParentImpl::RecvPVerifySSLServerCertConstructor(
-    PVerifySSLServerCertParent* aActor, nsTArray<ByteArray>&& aPeerCertChain,
-    const nsACString& aHostName, const int32_t& aPort,
-    const OriginAttributes& aOriginAttributes,
-    const Maybe<ByteArray>& aStapledOCSPResponse,
-    const Maybe<ByteArray>& aSctsFromTLSExtension,
-    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
-    const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
-  mozilla::psm::VerifySSLServerCertParent* authCert =
-      static_cast<mozilla::psm::VerifySSLServerCertParent*>(aActor);
-  if (!authCert->Dispatch(std::move(aPeerCertChain), aHostName, aPort,
-                          aOriginAttributes, aStapledOCSPResponse,
-                          aSctsFromTLSExtension, aDcInfo, aProviderFlags,
-                          aCertVerifierFlags)) {
-    return IPC_FAIL_NO_REASON(this);
-  }
-  return IPC_OK();
-}
-
-already_AddRefed<mozilla::psm::PSelectTLSClientAuthCertParent>
-BackgroundParentImpl::AllocPSelectTLSClientAuthCertParent(
-    const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
-    const int32_t& aPort, const uint32_t& aProviderFlags,
-    const uint32_t& aProviderTlsFlags, const ByteArray& aServerCertBytes,
-    const nsTArray<ByteArray>& aCANames, const uint64_t& aBrowserId) {
-  RefPtr<mozilla::psm::SelectTLSClientAuthCertParent> parent =
-      new mozilla::psm::SelectTLSClientAuthCertParent();
-  return parent.forget();
-}
-
-mozilla::ipc::IPCResult
-BackgroundParentImpl::RecvPSelectTLSClientAuthCertConstructor(
-    PSelectTLSClientAuthCertParent* actor, const nsACString& aHostName,
-    const OriginAttributes& aOriginAttributes, const int32_t& aPort,
-    const uint32_t& aProviderFlags, const uint32_t& aProviderTlsFlags,
-    const ByteArray& aServerCertBytes, nsTArray<ByteArray>&& aCANames,
-    const uint64_t& aBrowserId) {
-  mozilla::psm::SelectTLSClientAuthCertParent* selectTLSClientAuthCertParent =
-      static_cast<mozilla::psm::SelectTLSClientAuthCertParent*>(actor);
-  if (!selectTLSClientAuthCertParent->Dispatch(
-          aHostName, aOriginAttributes, aPort, aProviderFlags,
-          aProviderTlsFlags, aServerCertBytes, std::move(aCANames),
-          aBrowserId)) {
-    return IPC_FAIL_NO_REASON(this);
-  }
-  return IPC_OK();
-}
-
 mozilla::dom::PBroadcastChannelParent*
 BackgroundParentImpl::AllocPBroadcastChannelParent(
     const PrincipalInfo& aPrincipalInfo, const nsACString& aOrigin,
@@ -967,21 +902,6 @@ mozilla::ipc::IPCResult BackgroundParentImpl::RecvPMessagePortConstructor(
   return IPC_OK();
 }
 
-already_AddRefed<psm::PIPCClientCertsParent>
-BackgroundParentImpl::AllocPIPCClientCertsParent() {
-  // This should only be called in the parent process with the socket process
-  // as the child process, not any content processes, hence the check that the
-  // child ID be 0.
-  MOZ_ASSERT(XRE_IsParentProcess());
-  MOZ_ASSERT(mozilla::ipc::BackgroundParent::GetChildID(this) == 0);
-  if (!XRE_IsParentProcess() ||
-      mozilla::ipc::BackgroundParent::GetChildID(this) != 0) {
-    return nullptr;
-  }
-  RefPtr<psm::IPCClientCertsParent> result = new psm::IPCClientCertsParent();
-  return result.forget();
-}
-
 bool BackgroundParentImpl::DeallocPMessagePortParent(
     PMessagePortParent* aActor) {
   AssertIsInMainOrSocketProcess();

ipc/glue/BackgroundParentImpl.h

@@ -192,39 +192,6 @@ class BackgroundParentImpl : public PBackgroundParent {
 
   already_AddRefed<PVsyncParent> AllocPVsyncParent() override;
 
-  already_AddRefed<mozilla::psm::PVerifySSLServerCertParent>
-  AllocPVerifySSLServerCertParent(
-      const nsTArray<ByteArray>& aPeerCertChain, const nsACString& aHostName,
-      const int32_t& aPort, const OriginAttributes& aOriginAttributes,
-      const Maybe<ByteArray>& aStapledOCSPResponse,
-      const Maybe<ByteArray>& aSctsFromTLSExtension,
-      const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
-      const uint32_t& aProviderFlags,
-      const uint32_t& aCertVerifierFlags) override;
-
-  mozilla::ipc::IPCResult RecvPVerifySSLServerCertConstructor(
-      PVerifySSLServerCertParent* aActor, nsTArray<ByteArray>&& aPeerCertChain,
-      const nsACString& aHostName, const int32_t& aPort,
-      const OriginAttributes& aOriginAttributes,
-      const Maybe<ByteArray>& aStapledOCSPResponse,
-      const Maybe<ByteArray>& aSctsFromTLSExtension,
-      const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
-      const uint32_t& aProviderFlags,
-      const uint32_t& aCertVerifierFlags) override;
-
-  virtual already_AddRefed<mozilla::psm::PSelectTLSClientAuthCertParent>
-  AllocPSelectTLSClientAuthCertParent(
-      const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
-      const int32_t& aPort, const uint32_t& aProviderFlags,
-      const uint32_t& aProviderTlsFlags, const ByteArray& aServerCertBytes,
-      const nsTArray<ByteArray>& aCANames, const uint64_t& aBrowserId) override;
-  virtual mozilla::ipc::IPCResult RecvPSelectTLSClientAuthCertConstructor(
-      PSelectTLSClientAuthCertParent* actor, const nsACString& aHostName,
-      const OriginAttributes& aOriginAttributes, const int32_t& aPort,
-      const uint32_t& aProviderFlags, const uint32_t& aProviderTlsFlags,
-      const ByteArray& aServerCertBytes, nsTArray<ByteArray>&& aCANames,
-      const uint64_t& aBrowserId) override;
-
   PBroadcastChannelParent* AllocPBroadcastChannelParent(
       const PrincipalInfo& aPrincipalInfo, const nsACString& aOrigin,
       const nsAString& aChannel) override;
@@ -268,8 +235,6 @@ class BackgroundParentImpl : public PBackgroundParent {
       PMessagePortParent* aActor, const nsID& aUUID,
       const nsID& aDestinationUUID, const uint32_t& aSequenceID) override;
 
-  already_AddRefed<PIPCClientCertsParent> AllocPIPCClientCertsParent() override;
-
   bool DeallocPMessagePortParent(PMessagePortParent* aActor) override;
 
   mozilla::ipc::IPCResult RecvMessagePortForceClose(

ipc/glue/PBackground.ipdl

@@ -26,7 +26,6 @@ include protocol PFileSystemRequest;
 include protocol PGamepadEventChannel;
 include protocol PGamepadTestChannel;
 include protocol PHttpBackgroundChannel;
-include protocol PIPCClientCerts;
 include protocol PIdleScheduler;
 include protocol PMediaTransport;
 include protocol PRemoteWorker;
@@ -41,14 +40,12 @@ include protocol PLockManager;
 include protocol PMIDIManager;
 include protocol PMIDIPort;
 include protocol PQuota;
-include protocol PSelectTLSClientAuthCert;
 include protocol PServiceWorker;
 include protocol PServiceWorkerContainer;
 include protocol PServiceWorkerManager;
 include protocol PServiceWorkerRegistration;
 include protocol PWebAuthnTransaction;
 include protocol PUDPSocket;
-include protocol PVerifySSLServerCert;
 include protocol PVsync;
 include protocol PRemoteDecoderManager;
 include protocol PWebSocketConnection;
@@ -65,7 +62,6 @@ include PBackgroundSharedTypes;
 include PBackgroundIDBSharedTypes;
 include PFileSystemParams;
 include ProtocolTypes;
-include PSMIPCTypes;
 include RemoteWorkerTypes;
 include MIDITypes;
 
@@ -109,7 +105,6 @@ sync protocol PBackground
   manages PGamepadEventChannel;
   manages PGamepadTestChannel;
   manages PHttpBackgroundChannel;
-  manages PIPCClientCerts;
   manages PIdleScheduler;
   manages PLockManager;
   manages PRemoteWorker;
@@ -121,7 +116,6 @@ sync protocol PBackground
   manages PMessagePort;
   manages PCameras;
   manages PQuota;
-  manages PSelectTLSClientAuthCert;
   manages PServiceWorker;
   manages PServiceWorkerContainer;
   manages PServiceWorkerManager;
@@ -129,7 +123,6 @@ sync protocol PBackground
   manages PWebAuthnTransaction;
   manages PWebSocketConnection;
   manages PUDPSocket;
-  manages PVerifySSLServerCert;
   manages PVsync;
   manages PFetch;
 
@@ -281,25 +274,6 @@ parent:
 
   async PIdleScheduler();
 
-  async PSelectTLSClientAuthCert(nsCString aHostName,
-                                 OriginAttributes aOriginAttributes,
-                                 int32_t aPort,
-                                 uint32_t aProviderFlags,
-                                 uint32_t aProviderTlsFlags,
-                                 ByteArray aServerCertBytes,
-                                 ByteArray[] aCANames,
-                                 uint64_t aBrowserId);
-
-  async PVerifySSLServerCert(ByteArray[] aPeerCertChain,
-                             nsCString aHostName,
-                             int32_t aPort,
-                             OriginAttributes aOriginAttributes,
-                             ByteArray? aStapledOCSPResponse,
-                             ByteArray? aSctsFromTLSExtension,
-                             DelegatedCredentialInfoArg? aDcInfo,
-                             uint32_t aProviderFlags,
-                             uint32_t aCertVerifierFlags);
-
   async EnsureRDDProcessAndCreateBridge()
       returns (nsresult rv, Endpoint<PRemoteDecoderManagerChild> aEndpoint);
 
@@ -310,8 +284,6 @@ parent:
 
   async PLockManager(nsIPrincipal aPrincipalInfo, nsID aClientId);
 
-  async PIPCClientCerts();
-
   async PFetch();
 
   async RequestCameraAccess() returns (nsresult rv);

netwerk/base/NetworkConnectivityService.cpp

@@ -4,10 +4,12 @@
 
 #include "DNSUtils.h"
 #include "NetworkConnectivityService.h"
+#include "mozilla/ClearOnShutdown.h"
 #include "mozilla/net/SocketProcessParent.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "nsCOMPtr.h"
+#include "nsIChannel.h"
 #include "nsIOService.h"
 #include "nsICancelable.h"
 #include "xpcpublic.h"

netwerk/ipc/PSocketProcess.ipdl

@@ -17,6 +17,7 @@ include protocol PTRRService;
 include protocol PProxyConfigLookup;
 include protocol PNativeDNSResolverOverride;
 include protocol PProxyAutoConfig;
+include protocol PSocketProcessBackground;
 
 #if defined(MOZ_SANDBOX) && defined(MOZ_DEBUG) && defined(ENABLE_TESTS)
 include protocol PSandboxTesting;
@@ -25,7 +26,6 @@ include protocol PSandboxTesting;
 include MemoryReportTypes;
 include NeckoChannelParams;
 include PrefsTypes;
-include PSMIPCTypes;
 
 include "mozilla/ipc/ByteBufUtils.h";
 
@@ -122,6 +122,7 @@ parent:
                             uint64_t aExtraSizeData,
                             nsCString aExtraStringData);
   async InitBackground(Endpoint<PBackgroundStarterParent> aEndpoint);
+  async InitSocketBackground(Endpoint<PSocketProcessBackgroundParent> aEndpoint);
   async PAltService();
   async PProxyConfigLookup(nullable nsIURI aUri, uint32_t aFlags);
   async CachePushCheck(nullable nsIURI aPushedURL,

netwerk/ipc/PSocketProcessBackground.ipdl

@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+include protocol PVerifySSLServerCert;
+include protocol PSelectTLSClientAuthCert;
+include protocol PIPCClientCerts;
+
+include PSMIPCTypes;
+
+using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h";
+
+namespace mozilla {
+namespace net {
+
+/**
+  * PSocketProcessBackground is the top level IPC protocol between
+  * a background task queue in the socket process and the parent process.
+  * We use this to create several IPC protocols between the socket process
+  * and the parent process.
+  */
+sync protocol PSocketProcessBackground
+{
+parent:
+  async InitVerifySSLServerCert(
+    Endpoint<PVerifySSLServerCertParent> aEndpoint,
+    ByteArray[] aPeerCertChain,
+    nsCString aHostName,
+    int32_t aPort,
+    OriginAttributes aOriginAttributes,
+    ByteArray? aStapledOCSPResponse,
+    ByteArray? aSctsFromTLSExtension,
+    DelegatedCredentialInfoArg? aDcInfo,
+    uint32_t aProviderFlags,
+    uint32_t aCertVerifierFlags);
+
+  async InitSelectTLSClientAuthCert(
+    Endpoint<PSelectTLSClientAuthCertParent> aEndpoint,
+    nsCString aHostName,
+    OriginAttributes aOriginAttributes,
+    int32_t aPort,
+    uint32_t aProviderFlags,
+    uint32_t aProviderTlsFlags,
+    ByteArray aServerCertBytes,
+    ByteArray[] aCANames,
+    uint64_t aBrowserId);
+
+  async InitIPCClientCerts(Endpoint<PIPCClientCertsParent> aEndpoint);
+};
+
+} // namespace net
+} // namespace mozilla

netwerk/ipc/SocketProcessBackgroundChild.cpp

@@ -0,0 +1,113 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "SocketProcessBackgroundChild.h"
+#include "SocketProcessLogging.h"
+
+#include "mozilla/ipc/Endpoint.h"
+#include "nsThreadUtils.h"
+
+namespace mozilla::net {
+
+StaticMutex SocketProcessBackgroundChild::sMutex;
+StaticRefPtr<SocketProcessBackgroundChild>
+    SocketProcessBackgroundChild::sInstance;
+StaticRefPtr<nsISerialEventTarget> SocketProcessBackgroundChild::sTaskQueue;
+
+// static
+RefPtr<SocketProcessBackgroundChild>
+SocketProcessBackgroundChild::GetSingleton() {
+  StaticMutexAutoLock lock(sMutex);
+  return sInstance;
+}
+
+// static
+void SocketProcessBackgroundChild::Create(
+    ipc::Endpoint<PSocketProcessBackgroundChild>&& aEndpoint) {
+  if (NS_WARN_IF(!aEndpoint.IsValid())) {
+    MOZ_ASSERT_UNREACHABLE(
+        "Can't create SocketProcessBackgroundChild with invalid endpoint");
+    return;
+  }
+
+  nsCOMPtr<nsISerialEventTarget> transportQueue;
+  if (NS_WARN_IF(NS_FAILED(NS_CreateBackgroundTaskQueue(
+          "SocketBackgroundChildQueue", getter_AddRefs(transportQueue))))) {
+    return;
+  }
+
+  RefPtr<SocketProcessBackgroundChild> actor =
+      new SocketProcessBackgroundChild();
+
+  transportQueue->Dispatch(NS_NewRunnableFunction(
+      "BindSocketBackgroundChild",
+      [endpoint = std::move(aEndpoint), actor]() mutable {
+        // We checked endpoint validity before the dispatch, so this cannot
+        // fail.
+        MOZ_ALWAYS_TRUE(endpoint.Bind(actor));
+      }));
+
+  // Immediately store the actor and queue into the global.
+  // Any messages dispatched to the queue will arrive after it has been bound.
+  LOG(("SocketProcessBackgroundChild::Create"));
+  StaticMutexAutoLock lock(sMutex);
+  MOZ_ASSERT(!sInstance && !sTaskQueue,
+             "Cannot initialize SocketProcessBackgroundChild twice!");
+  sInstance = actor;
+  sTaskQueue = transportQueue;
+}
+
+// static
+void SocketProcessBackgroundChild::Shutdown() {
+  nsCOMPtr<nsISerialEventTarget> taskQueue = TaskQueue();
+  if (!taskQueue) {
+    return;
+  }
+
+  taskQueue->Dispatch(
+      NS_NewRunnableFunction("SocketProcessBackgroundChild::Shutdown", []() {
+        LOG(("SocketProcessBackgroundChild::Shutdown"));
+        StaticMutexAutoLock lock(sMutex);
+        sInstance->Close();
+        sInstance = nullptr;
+        sTaskQueue = nullptr;
+      }));
+}
+
+// static
+already_AddRefed<nsISerialEventTarget>
+SocketProcessBackgroundChild::TaskQueue() {
+  StaticMutexAutoLock lock(sMutex);
+  return do_AddRef(sTaskQueue);
+}
+
+// static
+nsresult SocketProcessBackgroundChild::WithActor(
+    const char* aName,
+    MoveOnlyFunction<void(SocketProcessBackgroundChild*)> aCallback) {
+  nsCOMPtr<nsISerialEventTarget> taskQueue = TaskQueue();
+  if (!taskQueue) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  return taskQueue->Dispatch(NS_NewRunnableFunction(
+      aName, [callback = std::move(aCallback)]() mutable {
+        RefPtr<SocketProcessBackgroundChild> actor =
+            SocketProcessBackgroundChild::GetSingleton();
+        if (actor) {
+          callback(actor);
+        }
+      }));
+}
+
+SocketProcessBackgroundChild::SocketProcessBackgroundChild() {
+  LOG(("SocketProcessBackgroundChild ctor"));
+}
+
+SocketProcessBackgroundChild::~SocketProcessBackgroundChild() {
+  LOG(("SocketProcessBackgroundChild dtor"));
+}
+
+}  // namespace mozilla::net

netwerk/ipc/SocketProcessBackgroundChild.h

@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_net_SocketProcessBackgroundChild_h
+#define mozilla_net_SocketProcessBackgroundChild_h
+
+#include "mozilla/MoveOnlyFunction.h"
+#include "mozilla/net/PSocketProcessBackgroundChild.h"
+#include "mozilla/StaticMutex.h"
+#include "mozilla/StaticPtr.h"
+
+namespace mozilla {
+namespace net {
+
+class SocketProcessBackgroundChild final
+    : public PSocketProcessBackgroundChild {
+ public:
+  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SocketProcessBackgroundChild, final)
+
+  static void Create(ipc::Endpoint<PSocketProcessBackgroundChild>&& aEndpoint);
+  static void Shutdown();
+  // |aCallback| will be called with the actor asynchronously on |sTaskQueue|.
+  static nsresult WithActor(
+      const char* aName,
+      MoveOnlyFunction<void(SocketProcessBackgroundChild*)> aCallback);
+
+ private:
+  SocketProcessBackgroundChild();
+  virtual ~SocketProcessBackgroundChild();
+
+  static RefPtr<SocketProcessBackgroundChild> GetSingleton();
+  static already_AddRefed<nsISerialEventTarget> TaskQueue();
+
+  static StaticMutex sMutex;
+  static StaticRefPtr<SocketProcessBackgroundChild> sInstance
+      MOZ_GUARDED_BY(sMutex);
+  static StaticRefPtr<nsISerialEventTarget> sTaskQueue MOZ_GUARDED_BY(sMutex);
+};
+
+}  // namespace net
+}  // namespace mozilla
+
+#endif  // mozilla_net_SocketProcessBackgroundChild_h

netwerk/ipc/SocketProcessBackgroundParent.cpp

@@ -0,0 +1,134 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "SocketProcessBackgroundParent.h"
+#include "SocketProcessLogging.h"
+
+#include "mozilla/ipc/Endpoint.h"
+#include "mozilla/psm/IPCClientCertsParent.h"
+#include "mozilla/psm/VerifySSLServerCertParent.h"
+#include "mozilla/psm/SelectTLSClientAuthCertParent.h"
+
+namespace mozilla::net {
+
+SocketProcessBackgroundParent::SocketProcessBackgroundParent() {
+  LOG(("SocketProcessBackgroundParent ctor"));
+}
+
+SocketProcessBackgroundParent::~SocketProcessBackgroundParent() {
+  LOG(("SocketProcessBackgroundParent dtor"));
+}
+
+mozilla::ipc::IPCResult
+SocketProcessBackgroundParent::RecvInitVerifySSLServerCert(
+    Endpoint<PVerifySSLServerCertParent>&& aEndpoint,
+    nsTArray<ByteArray>&& aPeerCertChain, const nsACString& aHostName,
+    const int32_t& aPort, const OriginAttributes& aOriginAttributes,
+    const Maybe<ByteArray>& aStapledOCSPResponse,
+    const Maybe<ByteArray>& aSctsFromTLSExtension,
+    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
+    const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
+  LOG(("SocketProcessBackgroundParent::RecvInitVerifySSLServerCert\n"));
+  if (!aEndpoint.IsValid()) {
+    return IPC_FAIL(this, "Invalid endpoint");
+  }
+
+  nsCOMPtr<nsISerialEventTarget> transportQueue;
+  if (NS_FAILED(NS_CreateBackgroundTaskQueue("VerifySSLServerCert",
+                                             getter_AddRefs(transportQueue)))) {
+    return IPC_FAIL(this, "NS_CreateBackgroundTaskQueue failed");
+  }
+
+  transportQueue->Dispatch(NS_NewRunnableFunction(
+      "InitVerifySSLServerCert",
+      [endpoint = std::move(aEndpoint),
+       peerCertChain = std::move(aPeerCertChain),
+       hostName = nsCString(aHostName), port(aPort),
+       originAttributes(aOriginAttributes),
+       stapledOCSPResponse = std::move(aStapledOCSPResponse),
+       sctsFromTLSExtension = std::move(aSctsFromTLSExtension),
+       dcInfo = std::move(aDcInfo), providerFlags(aProviderFlags),
+       certVerifierFlags(aCertVerifierFlags)]() mutable {
+        RefPtr<psm::VerifySSLServerCertParent> parent =
+            new psm::VerifySSLServerCertParent();
+        if (!endpoint.Bind(parent)) {
+          return;
+        }
+
+        parent->Dispatch(std::move(peerCertChain), hostName, port,
+                         originAttributes, stapledOCSPResponse,
+                         sctsFromTLSExtension, dcInfo, providerFlags,
+                         certVerifierFlags);
+      }));
+
+  return IPC_OK();
+}
+
+mozilla::ipc::IPCResult
+SocketProcessBackgroundParent::RecvInitSelectTLSClientAuthCert(
+    Endpoint<PSelectTLSClientAuthCertParent>&& aEndpoint,
+    const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+    const int32_t& aPort, const uint32_t& aProviderFlags,
+    const uint32_t& aProviderTlsFlags, const ByteArray& aServerCertBytes,
+    nsTArray<ByteArray>&& aCANames, const uint64_t& aBrowserId) {
+  LOG(("SocketProcessBackgroundParent::RecvInitSelectTLSClientAuthCert\n"));
+  if (!aEndpoint.IsValid()) {
+    return IPC_FAIL(this, "Invalid endpoint");
+  }
+
+  nsCOMPtr<nsISerialEventTarget> transportQueue;
+  if (NS_FAILED(NS_CreateBackgroundTaskQueue("SelectTLSClientAuthCert",
+                                             getter_AddRefs(transportQueue)))) {
+    return IPC_FAIL(this, "NS_CreateBackgroundTaskQueue failed");
+  }
+
+  transportQueue->Dispatch(NS_NewRunnableFunction(
+      "InitSelectTLSClientAuthCert",
+      [endpoint = std::move(aEndpoint), hostName = nsCString(aHostName),
+       originAttributes(aOriginAttributes), port(aPort),
+       providerFlags(aProviderFlags), providerTlsFlags(aProviderTlsFlags),
+       serverCertBytes(aServerCertBytes), CANAMEs(std::move(aCANames)),
+       browserId(aBrowserId)]() mutable {
+        RefPtr<psm::SelectTLSClientAuthCertParent> parent =
+            new psm::SelectTLSClientAuthCertParent();
+        if (!endpoint.Bind(parent)) {
+          return;
+        }
+
+        parent->Dispatch(hostName, originAttributes, port, providerFlags,
+                         providerTlsFlags, serverCertBytes, std::move(CANAMEs),
+                         browserId);
+      }));
+
+  return IPC_OK();
+}
+
+mozilla::ipc::IPCResult SocketProcessBackgroundParent::RecvInitIPCClientCerts(
+    Endpoint<PIPCClientCertsParent>&& aEndpoint) {
+  LOG(("SocketProcessBackgroundParent::RecvInitIPCClientCerts\n"));
+  if (!aEndpoint.IsValid()) {
+    return IPC_FAIL(this, "Invalid endpoint");
+  }
+
+  nsCOMPtr<nsISerialEventTarget> transportQueue;
+  if (NS_FAILED(NS_CreateBackgroundTaskQueue("IPCClientCerts",
+                                             getter_AddRefs(transportQueue)))) {
+    return IPC_FAIL(this, "NS_CreateBackgroundTaskQueue failed");
+  }
+
+  transportQueue->Dispatch(NS_NewRunnableFunction(
+      "InitIPCClientCerts", [endpoint = std::move(aEndpoint)]() mutable {
+        RefPtr<psm::IPCClientCertsParent> parent =
+            new psm::IPCClientCertsParent();
+        endpoint.Bind(parent);
+      }));
+  return IPC_OK();
+}
+
+void SocketProcessBackgroundParent::ActorDestroy(ActorDestroyReason aReason) {
+  LOG(("SocketProcessBackgroundParent::ActorDestroy"));
+}
+
+}  // namespace mozilla::net

netwerk/ipc/SocketProcessBackgroundParent.h

@@ -0,0 +1,49 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_net_SocketProcessBackgroundParent_h
+#define mozilla_net_SocketProcessBackgroundParent_h
+
+#include "mozilla/net/PSocketProcessBackgroundParent.h"
+
+namespace mozilla {
+namespace net {
+
+class SocketProcessBackgroundParent final
+    : public PSocketProcessBackgroundParent {
+ public:
+  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SocketProcessBackgroundParent, final)
+
+  SocketProcessBackgroundParent();
+
+  mozilla::ipc::IPCResult RecvInitVerifySSLServerCert(
+      Endpoint<PVerifySSLServerCertParent>&& aEndpoint,
+      nsTArray<ByteArray>&& aPeerCertChain, const nsACString& aHostName,
+      const int32_t& aPort, const OriginAttributes& aOriginAttributes,
+      const Maybe<ByteArray>& aStapledOCSPResponse,
+      const Maybe<ByteArray>& aSctsFromTLSExtension,
+      const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
+      const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags);
+
+  mozilla::ipc::IPCResult RecvInitIPCClientCerts(
+      Endpoint<PIPCClientCertsParent>&& aEndpoint);
+
+  mozilla::ipc::IPCResult RecvInitSelectTLSClientAuthCert(
+      Endpoint<PSelectTLSClientAuthCertParent>&& aEndpoint,
+      const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
+      const int32_t& aPort, const uint32_t& aProviderFlags,
+      const uint32_t& aProviderTlsFlags, const ByteArray& aServerCertBytes,
+      nsTArray<ByteArray>&& aCANames, const uint64_t& aBrowserId);
+
+  void ActorDestroy(ActorDestroyReason aReason) override;
+
+ private:
+  ~SocketProcessBackgroundParent();
+};
+
+}  // namespace net
+}  // namespace mozilla
+
+#endif  // mozilla_net_SocketProcessBackgroundParent_h

netwerk/ipc/SocketProcessChild.cpp

@@ -26,6 +26,7 @@
 #include "mozilla/net/DNSRequestParent.h"
 #include "mozilla/net/NativeDNSResolverOverrideChild.h"
 #include "mozilla/net/ProxyAutoConfigChild.h"
+#include "mozilla/net/SocketProcessBackgroundChild.h"
 #include "mozilla/net/TRRServiceChild.h"
 #include "mozilla/ipc/ProcessUtils.h"
 #include "mozilla/Preferences.h"
@@ -104,6 +105,46 @@ void CGSShutdownServerConnections();
 };
 #endif
 
+void SocketProcessChild::InitSocketBackground() {
+  Endpoint<PSocketProcessBackgroundParent> parentEndpoint;
+  Endpoint<PSocketProcessBackgroundChild> childEndpoint;
+  if (NS_WARN_IF(NS_FAILED(PSocketProcessBackground::CreateEndpoints(
+          &parentEndpoint, &childEndpoint)))) {
+    return;
+  }
+
+  SocketProcessBackgroundChild::Create(std::move(childEndpoint));
+
+  Unused << SendInitSocketBackground(std::move(parentEndpoint));
+}
+
+namespace {
+
+class NetTeardownObserver final : public nsIObserver {
+ public:
+  NetTeardownObserver() = default;
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIOBSERVER
+
+ private:
+  ~NetTeardownObserver() = default;
+};
+
+NS_IMPL_ISUPPORTS(NetTeardownObserver, nsIObserver)
+
+NS_IMETHODIMP
+NetTeardownObserver::Observe(nsISupports* aSubject, const char* aTopic,
+                             const char16_t* aData) {
+  if (SocketProcessChild* child = SocketProcessChild::GetSingleton()) {
+    child->CloseIPCClientCertsActor();
+  }
+
+  return NS_OK;
+}
+
+}  // namespace
+
 bool SocketProcessChild::Init(mozilla::ipc::UntypedEndpoint&& aEndpoint,
                               const char* aParentBuildID) {
   if (NS_WARN_IF(NS_FAILED(nsThreadManager::get().Init()))) {
@@ -132,6 +173,8 @@ bool SocketProcessChild::Init(mozilla::ipc::UntypedEndpoint&& aEndpoint,
   BackgroundChild::Startup();
   BackgroundChild::InitSocketStarter(this);
 
+  InitSocketBackground();
+
   SetThisProcessName("Socket Process");
 #if defined(XP_MACOSX)
   // Close all current connections to the WindowServer. This ensures that the
@@ -163,13 +206,27 @@ bool SocketProcessChild::Init(mozilla::ipc::UntypedEndpoint&& aEndpoint,
     return false;
   }
 
+  nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+  if (obs) {
+    nsCOMPtr<nsIObserver> observer = new NetTeardownObserver();
+    Unused << obs->AddObserver(observer, "profile-change-net-teardown", false);
+  }
+
+  mSocketThread = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID);
+  if (!mSocketThread) {
+    return false;
+  }
+
   return true;
 }
 
 void SocketProcessChild::ActorDestroy(ActorDestroyReason aWhy) {
   LOG(("SocketProcessChild::ActorDestroy\n"));
 
-  mShuttingDown = true;
+  {
+    MutexAutoLock lock(mMutex);
+    mShuttingDown = true;
+  }
 
   if (AbnormalShutdown == aWhy) {
     NS_WARNING("Shutting down Socket process early due to a crash!");
@@ -192,6 +249,8 @@ void SocketProcessChild::ActorDestroy(ActorDestroyReason aWhy) {
 void SocketProcessChild::CleanUp() {
   LOG(("SocketProcessChild::CleanUp\n"));
 
+  SocketProcessBackgroundChild::Shutdown();
+
   for (const auto& parent : mSocketProcessBridgeParentMap.Values()) {
     if (parent->CanSend()) {
       parent->Close();
@@ -708,5 +767,66 @@ SocketProcessChild::RecvUnblockUntrustedModulesThread() {
 }
 #endif  // defined(XP_WIN)
 
+bool SocketProcessChild::IsShuttingDown() {
+  MutexAutoLock lock(mMutex);
+  return mShuttingDown;
+}
+
+void SocketProcessChild::CloseIPCClientCertsActor() {
+  LOG(("SocketProcessChild::CloseIPCClientCertsActor"));
+  MOZ_ASSERT(NS_IsMainThread());
+
+  mSocketThread->Dispatch(NS_NewRunnableFunction(
+      "CloseIPCClientCertsActor", [self = RefPtr{this}]() {
+        LOG(("CloseIPCClientCertsActor"));
+        if (self->mIPCClientCertsChild) {
+          self->mIPCClientCertsChild->Close();
+          self->mIPCClientCertsChild = nullptr;
+        }
+      }));
+}
+
+already_AddRefed<psm::IPCClientCertsChild>
+SocketProcessChild::GetIPCClientCertsActor() {
+  LOG(("SocketProcessChild::GetIPCClientCertsActor"));
+  // Only socket thread can access the mIPCClientCertsChild.
+  if (!OnSocketThread()) {
+    return nullptr;
+  }
+
+  {
+    MutexAutoLock lock(mMutex);
+    if (mShuttingDown) {
+      return nullptr;
+    }
+  }
+
+  if (mIPCClientCertsChild) {
+    RefPtr<psm::IPCClientCertsChild> actorChild = mIPCClientCertsChild;
+    return actorChild.forget();
+  }
+
+  ipc::Endpoint<psm::PIPCClientCertsParent> parentEndpoint;
+  ipc::Endpoint<psm::PIPCClientCertsChild> childEndpoint;
+  psm::PIPCClientCerts::CreateEndpoints(&parentEndpoint, &childEndpoint);
+
+  if (NS_FAILED(SocketProcessBackgroundChild::WithActor(
+          "SendInitIPCClientCerts",
+          [endpoint = std::move(parentEndpoint)](
+              SocketProcessBackgroundChild* aActor) mutable {
+            Unused << aActor->SendInitIPCClientCerts(std::move(endpoint));
+          }))) {
+    return nullptr;
+  }
+
+  RefPtr<psm::IPCClientCertsChild> actor = new psm::IPCClientCertsChild();
+  if (!childEndpoint.Bind(actor)) {
+    return nullptr;
+  }
+
+  mIPCClientCertsChild = actor;
+  return actor.forget();
+}
+
 }  // namespace net
 }  // namespace mozilla

netwerk/ipc/SocketProcessChild.h

@@ -8,6 +8,7 @@
 
 #include "mozilla/net/PSocketProcessChild.h"
 #include "mozilla/ipc/InputStreamUtils.h"
+#include "mozilla/psm/IPCClientCertsChild.h"
 #include "mozilla/Mutex.h"
 #include "nsRefPtrHashtable.h"
 #include "nsTHashMap.h"
@@ -24,6 +25,7 @@ namespace mozilla {
 namespace net {
 
 class ProxyAutoConfigChild;
+class SocketProcessBackgroundChild;
 class SocketProcessBridgeParent;
 class BackgroundDataBridgeParent;
 
@@ -90,7 +92,7 @@ class SocketProcessChild final : public PSocketProcessChild {
   already_AddRefed<PAltSvcTransactionChild> AllocPAltSvcTransactionChild(
       const HttpConnectionInfoCloneArgs& aConnInfo, const uint32_t& aCaps);
 
-  bool IsShuttingDown() { return mShuttingDown; }
+  bool IsShuttingDown();
 
   already_AddRefed<PDNSRequestChild> AllocPDNSRequestChild(
       const nsACString& aHost, const nsACString& aTrrServer,
@@ -151,10 +153,15 @@ class SocketProcessChild final : public PSocketProcessChild {
   mozilla::ipc::IPCResult RecvUnblockUntrustedModulesThread();
 #endif  // defined(XP_WIN)
 
+  already_AddRefed<psm::IPCClientCertsChild> GetIPCClientCertsActor();
+  void CloseIPCClientCertsActor();
+
  protected:
   friend class SocketProcessImpl;
   ~SocketProcessChild();
 
+  void InitSocketBackground();
+
  private:
   // Mapping of content process id and the SocketProcessBridgeParent.
   // This table keeps SocketProcessBridgeParent alive in socket process.
@@ -163,11 +170,16 @@ class SocketProcessChild final : public PSocketProcessChild {
 
   RefPtr<ChildProfilerController> mProfilerController;
 
-  bool mShuttingDown{false};
   // Protect the table below.
   Mutex mMutex MOZ_UNANNOTATED{"SocketProcessChild::mMutex"};
   nsTHashMap<uint64_t, RefPtr<BackgroundDataBridgeParent>>
       mBackgroundDataBridgeMap;
+
+  bool mShuttingDown MOZ_GUARDED_BY(mMutex) = false;
+
+  nsCOMPtr<nsIEventTarget> mSocketThread;
+  // mIPCClientCertsChild is only accessed on the socket thread.
+  RefPtr<psm::IPCClientCertsChild> mIPCClientCertsChild;
 };
 
 }  // namespace net

netwerk/ipc/SocketProcessParent.cpp

@@ -16,6 +16,7 @@
 #include "mozilla/FOGIPC.h"
 #include "mozilla/net/DNSRequestParent.h"
 #include "mozilla/net/ProxyConfigLookupParent.h"
+#include "mozilla/net/SocketProcessBackgroundParent.h"
 #include "mozilla/RemoteLazyInputStreamParent.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TelemetryIPC.h"
@@ -257,6 +258,28 @@ mozilla::ipc::IPCResult SocketProcessParent::RecvInitBackground(
   return IPC_OK();
 }
 
+mozilla::ipc::IPCResult SocketProcessParent::RecvInitSocketBackground(
+    Endpoint<PSocketProcessBackgroundParent>&& aEndpoint) {
+  if (!aEndpoint.IsValid()) {
+    return IPC_FAIL(this, "Invalid endpoint");
+  }
+
+  nsCOMPtr<nsISerialEventTarget> transportQueue;
+  if (NS_FAILED(NS_CreateBackgroundTaskQueue("SocketBackgroundParentQueue",
+                                             getter_AddRefs(transportQueue)))) {
+    return IPC_FAIL(this, "NS_CreateBackgroundTaskQueue failed");
+  }
+
+  transportQueue->Dispatch(
+      NS_NewRunnableFunction("BindSocketBackgroundParent",
+                             [endpoint = std::move(aEndpoint)]() mutable {
+                               RefPtr<SocketProcessBackgroundParent> parent =
+                                   new SocketProcessBackgroundParent();
+                               endpoint.Bind(parent);
+                             }));
+  return IPC_OK();
+}
+
 already_AddRefed<PAltServiceParent>
 SocketProcessParent::AllocPAltServiceParent() {
   RefPtr<AltServiceParent> actor = new AltServiceParent();

netwerk/ipc/SocketProcessParent.h

@@ -79,14 +79,10 @@ class SocketProcessParent final
   mozilla::ipc::IPCResult RecvInitBackground(
       Endpoint<PBackgroundStarterParent>&& aEndpoint);
 
-  already_AddRefed<PAltServiceParent> AllocPAltServiceParent();
+  mozilla::ipc::IPCResult RecvInitSocketBackground(
+      Endpoint<PSocketProcessBackgroundParent>&& aEndpoint);
 
-  mozilla::ipc::IPCResult RecvFindIPCClientCertObjects(
-      nsTArray<IPCClientCertObject>* aObjects);
-  mozilla::ipc::IPCResult RecvIPCClientCertSign(ByteArray aCert,
-                                                ByteArray aData,
-                                                ByteArray aParams,
-                                                ByteArray* aSignature);
+  already_AddRefed<PAltServiceParent> AllocPAltServiceParent();
 
   already_AddRefed<PProxyConfigLookupParent> AllocPProxyConfigLookupParent(
       nsIURI* aURI, const uint32_t& aProxyResolveFlags);

netwerk/ipc/moz.build

@@ -24,6 +24,8 @@ EXPORTS.mozilla.net += [
     "ProxyConfigLookup.h",
     "ProxyConfigLookupChild.h",
     "ProxyConfigLookupParent.h",
+    "SocketProcessBackgroundChild.h",
+    "SocketProcessBackgroundParent.h",
     "SocketProcessBridgeChild.h",
     "SocketProcessBridgeParent.h",
     "SocketProcessChild.h",
@@ -49,6 +51,8 @@ UNIFIED_SOURCES += [
     "ProxyConfigLookup.cpp",
     "ProxyConfigLookupChild.cpp",
     "ProxyConfigLookupParent.cpp",
+    "SocketProcessBackgroundChild.cpp",
+    "SocketProcessBackgroundParent.cpp",
     "SocketProcessBridgeChild.cpp",
     "SocketProcessBridgeParent.cpp",
     "SocketProcessChild.cpp",
@@ -77,6 +81,7 @@ IPDL_SOURCES = [
     "PProxyAutoConfig.ipdl",
     "PProxyConfigLookup.ipdl",
     "PSimpleChannel.ipdl",
+    "PSocketProcessBackground.ipdl",
     "PSocketProcessBridge.ipdl",
 ]
 

security/manager/ssl/IPCClientCertsParent.cpp

@@ -7,11 +7,11 @@
 
 #include "IPCClientCertsParent.h"
 #include "ScopedNSSTypes.h"
+#include "nsNetCID.h"
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 
 #include "mozilla/SyncRunnable.h"
-#include "mozilla/ipc/BackgroundParent.h"
 
 namespace mozilla::psm {
 
@@ -81,8 +81,8 @@ mozilla::ipc::IPCResult IPCClientCertsParent::RecvFindObjects(
 
 // When the IPC client certs module needs to sign data using a key managed by
 // the parent process, it will cause this function to be called in the parent
-// process. The parent process needs to find the key corresponding to the given
-// certificate and sign the given data with the given parameters.
+// process. The parent process needs to find the key corresponding to the
+// given certificate and sign the given data with the given parameters.
 mozilla::ipc::IPCResult IPCClientCertsParent::RecvSign(ByteArray aCert,
                                                        ByteArray aData,
                                                        ByteArray aParams,

security/manager/ssl/IPCClientCertsParent.h

@@ -12,14 +12,14 @@
 
 namespace mozilla {
 
-namespace ipc {
-class BackgroundParentImpl;
-}  // namespace ipc
+namespace net {
+class SocketProcessBackgroundParent;
+}  // namespace net
 
 namespace psm {
 
 class IPCClientCertsParent final : public PIPCClientCertsParent {
-  friend class mozilla::ipc::BackgroundParentImpl;
+  friend class mozilla::net::SocketProcessBackgroundParent;
 
  public:
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCClientCertsParent)

security/manager/ssl/PIPCClientCerts.ipdl

@@ -3,8 +3,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-include protocol PBackground;
-
 include PSMIPCTypes;
 
 using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h";
@@ -14,8 +12,6 @@ namespace psm {
 
 sync protocol PIPCClientCerts
 {
-  manager PBackground;
-
 parent:
   // Called from the socket process to the parent process to find client
   // certificates and associated keys.

security/manager/ssl/PSelectTLSClientAuthCert.ipdl

@@ -5,7 +5,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-include protocol PBackground;
 include PSMIPCTypes;
 
 namespace mozilla {
@@ -13,8 +12,6 @@ namespace psm {
 
 protocol PSelectTLSClientAuthCert
 {
-  manager PBackground;
-
 child:
   async TLSClientAuthCertSelected(ByteArray aSelectedCertBytes,
                                   ByteArray[] aSelectedCertChainBytes);

security/manager/ssl/PVerifySSLServerCert.ipdl

@@ -5,16 +5,15 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-include protocol PBackground;
 include PSMIPCTypes;
 
+using mozilla::OriginAttributes from "mozilla/ipc/BackgroundUtils.h";
+
 namespace mozilla {
 namespace psm {
 
 protocol PVerifySSLServerCert
 {
-  manager PBackground;
-
 child:
   async OnVerifiedSSLServerCertSuccess(ByteArray[] aBuiltCertChain,
                                        uint16_t aCertTransparencyStatus,

security/manager/ssl/TLSClientAuthCertSelection.cpp

@@ -28,9 +28,8 @@
 #include "cert_storage/src/cert_storage.h"
 #include "mozilla/Logging.h"
 #include "mozilla/dom/BrowsingContext.h"
-#include "mozilla/ipc/BackgroundChild.h"
-#include "mozilla/ipc/BackgroundParent.h"
-#include "mozilla/ipc/PBackgroundChild.h"
+#include "mozilla/ipc/Endpoint.h"
+#include "mozilla/net/SocketProcessBackgroundChild.h"
 #include "mozilla/psm/SelectTLSClientAuthCertChild.h"
 #include "mozilla/psm/SelectTLSClientAuthCertParent.h"
 #include "nsArray.h"
@@ -785,15 +784,32 @@ SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
              hostname(std::move(hostname)),
              originAttributes(std::move(originAttributes)), port, providerFlags,
              providerTlsFlags, serverCertBytes(std::move(serverCertBytes)),
-             caNamesBytes(std::move(caNamesBytes)), browserId(browserId)]() {
-              mozilla::ipc::PBackgroundChild* actorChild =
-                  mozilla::ipc::BackgroundChild::
-                      GetOrCreateForSocketParentBridgeForCurrentThread();
-              if (actorChild) {
-                Unused << actorChild->SendPSelectTLSClientAuthCertConstructor(
-                    selectClientAuthCertificate, hostname, originAttributes,
-                    port, providerFlags, providerTlsFlags,
-                    ByteArray(serverCertBytes), caNamesBytes, browserId);
+             caNamesBytes(std::move(caNamesBytes)),
+             browserId(browserId)]() mutable {
+              ipc::Endpoint<PSelectTLSClientAuthCertParent> parentEndpoint;
+              ipc::Endpoint<PSelectTLSClientAuthCertChild> childEndpoint;
+              PSelectTLSClientAuthCert::CreateEndpoints(&parentEndpoint,
+                                                        &childEndpoint);
+              if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor(
+                      "SendInitSelectTLSClientAuthCert",
+                      [endpoint = std::move(parentEndpoint),
+                       hostname(std::move(hostname)),
+                       originAttributes(std::move(originAttributes)), port,
+                       providerFlags, providerTlsFlags,
+                       serverCertBytes(std::move(serverCertBytes)),
+                       caNamesBytes(std::move(caNamesBytes)), browserId](
+                          net::SocketProcessBackgroundChild* aActor) mutable {
+                        Unused << aActor->SendInitSelectTLSClientAuthCert(
+                            std::move(endpoint), hostname, originAttributes,
+                            port, providerFlags, providerTlsFlags,
+                            ByteArray(serverCertBytes), caNamesBytes,
+                            browserId);
+                      }))) {
+                return;
+              }
+
+              if (!childEndpoint.Bind(selectClientAuthCertificate)) {
+                return;
               }
             }));
     info->SetPendingSelectClientAuthCertificate(
@@ -815,9 +831,6 @@ SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
   return SECWouldBlock;
 }
 
-using mozilla::ipc::AssertIsOnBackgroundThread;
-using mozilla::ipc::IsOnBackgroundThread;
-
 // Helper continuation for when a client authentication certificate has been
 // selected in the parent process and the information needs to be sent to the
 // socket process.
@@ -827,13 +840,13 @@ class RemoteClientAuthCertificateSelected
   explicit RemoteClientAuthCertificateSelected(
       SelectTLSClientAuthCertParent* selectTLSClientAuthCertParent)
       : mSelectTLSClientAuthCertParent(selectTLSClientAuthCertParent),
-        mEventTarget(NS_GetCurrentThread()) {}
+        mEventTarget(GetCurrentSerialEventTarget()) {}
 
   NS_IMETHOD Run() override;
 
  private:
   RefPtr<SelectTLSClientAuthCertParent> mSelectTLSClientAuthCertParent;
-  nsCOMPtr<nsIEventTarget> mEventTarget;
+  nsCOMPtr<nsISerialEventTarget> mEventTarget;
 };
 
 NS_IMETHODIMP
@@ -910,8 +923,6 @@ bool SelectTLSClientAuthCertParent::Dispatch(
 void SelectTLSClientAuthCertParent::TLSClientAuthCertSelected(
     const nsTArray<uint8_t>& aSelectedCertBytes,
     nsTArray<nsTArray<uint8_t>>&& aSelectedCertChainBytes) {
-  AssertIsOnBackgroundThread();
-
   if (!CanSend()) {
     return;
   }
@@ -923,7 +934,7 @@ void SelectTLSClientAuthCertParent::TLSClientAuthCertSelected(
 
   Unused << SendTLSClientAuthCertSelected(aSelectedCertBytes,
                                           selectedCertChainBytes);
-  Unused << Send__delete__(this);
+  Close();
 }
 
 void SelectTLSClientAuthCertParent::ActorDestroy(

security/manager/ssl/VerifySSLServerCertChild.cpp

@@ -8,8 +8,10 @@
 #include "VerifySSLServerCertChild.h"
 
 #include "CertVerifier.h"
-#include "mozilla/ipc/BackgroundChild.h"
-#include "mozilla/ipc/PBackgroundChild.h"
+#include "mozilla/ipc/Endpoint.h"
+#include "mozilla/net/SocketProcessBackgroundChild.h"
+#include "mozilla/psm/PVerifySSLServerCertParent.h"
+#include "mozilla/psm/PVerifySSLServerCertChild.h"
 #include "nsNSSIOLayer.h"
 #include "nsSerializationHelper.h"
 
@@ -98,19 +100,33 @@ SECStatus RemoteProcessCertVerification(
     dcInfo.ref().authKeyBits() = static_cast<uint32_t>(aDcInfo->authKeyBits);
   }
 
-  mozilla::ipc::PBackgroundChild* actorChild = mozilla::ipc::BackgroundChild::
-      GetOrCreateForSocketParentBridgeForCurrentThread();
-  if (!actorChild) {
+  ipc::Endpoint<PVerifySSLServerCertParent> parentEndpoint;
+  ipc::Endpoint<PVerifySSLServerCertChild> childEndpoint;
+  PVerifySSLServerCert::CreateEndpoints(&parentEndpoint, &childEndpoint);
+
+  if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor(
+          "SendInitVerifySSLServerCert",
+          [endpoint = std::move(parentEndpoint),
+           peerCertBytes = std::move(peerCertBytes),
+           hostName = PromiseFlatCString(aHostName), port(aPort),
+           originAttributes(aOriginAttributes),
+           stapledOCSPResponse = std::move(stapledOCSPResponse),
+           sctsFromTLSExtension = std::move(sctsFromTLSExtension),
+           dcInfo = std::move(dcInfo), providerFlags(aProviderFlags),
+           certVerifierFlags(aCertVerifierFlags)](
+              net::SocketProcessBackgroundChild* aActor) mutable {
+            Unused << aActor->SendInitVerifySSLServerCert(
+                std::move(endpoint), peerCertBytes, hostName, port,
+                originAttributes, stapledOCSPResponse, sctsFromTLSExtension,
+                dcInfo, providerFlags, certVerifierFlags);
+          }))) {
     PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
     return SECFailure;
   }
 
   RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild(
       aResultTask, std::move(aPeerCertChain), aProviderFlags);
-  if (!actorChild->SendPVerifySSLServerCertConstructor(
-          authCert, peerCertBytes, PromiseFlatCString(aHostName), aPort,
-          aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,
-          aProviderFlags, aCertVerifierFlags)) {
+  if (!childEndpoint.Bind(authCert)) {
     PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
     return SECFailure;
   }

security/manager/ssl/VerifySSLServerCertParent.cpp

@@ -15,14 +15,10 @@
 #include "SSLServerCertVerification.h"
 #include "nsNSSIOLayer.h"
 #include "nsISocketProvider.h"
-#include "mozilla/ipc/BackgroundParent.h"
 #include "mozilla/Unused.h"
 
 extern mozilla::LazyLogModule gPIPNSSLog;
 
-using mozilla::ipc::AssertIsOnBackgroundThread;
-using mozilla::ipc::IsOnBackgroundThread;
-
 using namespace mozilla::pkix;
 
 namespace mozilla {
@@ -35,8 +31,6 @@ void VerifySSLServerCertParent::OnVerifiedSSLServerCert(
     uint16_t aCertificateTransparencyStatus, uint8_t aEVStatus, bool aSucceeded,
     PRErrorCode aFinalError, uint32_t aOverridableErrorCategory,
     bool aIsBuiltCertChainRootBuiltInRoot, bool aMadeOCSPRequests) {
-  AssertIsOnBackgroundThread();
-
   if (!CanSend()) {
     return;
   }
@@ -49,7 +43,8 @@ void VerifySSLServerCertParent::OnVerifiedSSLServerCert(
     Unused << SendOnVerifiedSSLServerCertFailure(
         aFinalError, aOverridableErrorCategory, aMadeOCSPRequests);
   }
-  Unused << Send__delete__(this);
+
+  Close();
 }
 
 namespace {
@@ -134,9 +129,8 @@ bool VerifySSLServerCertParent::Dispatch(
     const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
     const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("VerifySSLServerCertParent::Dispatch"));
-  AssertIsOnBackgroundThread();
 
-  mBackgroundThread = NS_GetCurrentThread();
+  mBackgroundThread = GetCurrentSerialEventTarget();
 
   nsTArray<nsTArray<uint8_t>> peerCertBytes;
   for (auto& certBytes : aPeerCertChain) {

security/manager/ssl/VerifySSLServerCertParent.h

@@ -51,7 +51,7 @@ class VerifySSLServerCertParent : public PVerifySSLServerCertParent {
   // PVerifySSLServerCertParent
   void ActorDestroy(ActorDestroyReason aWhy) override;
 
-  nsCOMPtr<nsIEventTarget> mBackgroundThread;
+  nsCOMPtr<nsISerialEventTarget> mBackgroundThread;
 };
 
 }  // namespace psm

security/manager/ssl/nsNSSIOLayer.cpp

@@ -27,8 +27,6 @@
 #include "mozilla/RandomNum.h"
 #include "mozilla/StaticPrefs_security.h"
 #include "mozilla/Telemetry.h"
-#include "mozilla/ipc/BackgroundChild.h"
-#include "mozilla/ipc/PBackgroundChild.h"
 #include "mozilla/net/SSLTokensCache.h"
 #include "mozilla/net/SocketProcessChild.h"
 #include "mozilla/psm/IPCClientCertsChild.h"
@@ -1659,24 +1657,6 @@ loser:
   return NS_ERROR_FAILURE;
 }
 
-already_AddRefed<IPCClientCertsChild> GetIPCClientCertsActor() {
-  PBackgroundChild* backgroundActor =
-      BackgroundChild::GetOrCreateForSocketParentBridgeForCurrentThread();
-  if (!backgroundActor) {
-    return nullptr;
-  }
-  RefPtr<PIPCClientCertsChild> actor =
-      SingleManagedOrNull(backgroundActor->ManagedPIPCClientCertsChild());
-  if (!actor) {
-    actor = backgroundActor->SendPIPCClientCertsConstructor(
-        new IPCClientCertsChild());
-    if (!actor) {
-      return nullptr;
-    }
-  }
-  return actor.forget().downcast<IPCClientCertsChild>();
-}
-
 extern "C" {
 
 const uint8_t kIPCClientCertsObjectTypeCert = 1;
@@ -1687,7 +1667,14 @@ const uint8_t kIPCClientCertsObjectTypeECKey = 3;
 // parent process to find certificates and keys and send identifying
 // information about them over IPC.
 void DoFindObjects(FindObjectsCallback cb, void* ctx) {
-  RefPtr<IPCClientCertsChild> ipcClientCertsActor(GetIPCClientCertsActor());
+  net::SocketProcessChild* socketChild =
+      net::SocketProcessChild::GetSingleton();
+  if (!socketChild) {
+    return;
+  }
+
+  RefPtr<IPCClientCertsChild> ipcClientCertsActor(
+      socketChild->GetIPCClientCertsActor());
   if (!ipcClientCertsActor) {
     return;
   }
@@ -1731,7 +1718,14 @@ void DoFindObjects(FindObjectsCallback cb, void* ctx) {
 void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len,
             const uint8_t* data, size_t params_len, const uint8_t* params,
             SignCallback cb, void* ctx) {
-  RefPtr<IPCClientCertsChild> ipcClientCertsActor(GetIPCClientCertsActor());
+  net::SocketProcessChild* socketChild =
+      net::SocketProcessChild::GetSingleton();
+  if (!socketChild) {
+    return;
+  }
+
+  RefPtr<IPCClientCertsChild> ipcClientCertsActor(
+      socketChild->GetIPCClientCertsActor());
   if (!ipcClientCertsActor) {
     return;
   }