bug 1027720 - enforce h2 requirement that sever uses aead r=hurley r=dkeeler

2024-11-25 13:51:41 +00:00 · 2014-08-01 16:59:00 -04:00 · 2014-08-01 16:59:00 -04:00 · 004b6798a9
commit 004b6798a9
parent 7feeef7c09
5 changed files with 33 additions and 1 deletions
--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@ -2947,6 +2947,14 @@ Http2Session::ConfirmTLSProfile()
    RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
  }

+  int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
+  LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
+        this, macAlgorithm));
+  if (macAlgorithm != nsISSLSocketControl::nsISSLSocketControl::SSL_MAC_AEAD) {
+    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to lack of AEAD\n", this));
+    RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+  }
+
  /* We are required to send SNI. We do that already, so no check is done
   * here to make sure we did. */

--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@ -14,7 +14,7 @@ class nsCString;
 %}
 [ref] native nsCStringTArrayRef(nsTArray<nsCString>);

-[scriptable, builtinclass, uuid(ec72446c-8241-457f-ba75-83d214392289)]
+[scriptable, builtinclass, uuid(2032ad83-229f-4ddb-818a-59b9ae4ecd4b)]
 interface nsISSLSocketControl : nsISupports {
    attribute nsIInterfaceRequestor     notificationCallbacks;

@ -82,5 +82,17 @@ interface nsISSLSocketControl : nsISupports {
    const short SSL_VERSION_UNKNOWN = -1;

    [infallible] readonly attribute short SSLVersionUsed;
+
+    /* These values match the NSS defined values in sslt.h */
+    const short SSL_MAC_UNKNOWN = -1;
+    const short SSL_MAC_NULL    = 0;
+    const short SSL_MAC_MD5     = 1;
+    const short SSL_MAC_SHA     = 2;
+    const short SSL_HMAC_MD5    = 3;
+    const short SSL_HMAC_SHA    = 4;
+    const short SSL_HMAC_SHA256 = 5;
+    const short SSL_MAC_AEAD    = 6;
+
+    [infallible] readonly attribute short MACAlgorithmUsed;
 };

--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@ -898,6 +898,7 @@ PreliminaryHandshakeDone(PRFileDesc* fd)
      status->mCipherName.Assign(cipherInfo.cipherSuiteName);
      infoObject->SetKEAUsed(cipherInfo.keaType);
      infoObject->SetKEAKeyBits(channelInfo.keaKeyBits);
+      infoObject->SetMACAlgorithmUsed(cipherInfo.macAlgorithm);
    }
  }

--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -137,6 +137,7 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags)
    mKEAExpected(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
    mKEAKeyBits(0),
    mSSLVersionUsed(nsISSLSocketControl::SSL_VERSION_UNKNOWN),
+    mMACAlgorithmUsed(nsISSLSocketControl::SSL_MAC_UNKNOWN),
    mProviderFlags(providerFlags),
    mSocketCreationTimestamp(TimeStamp::Now()),
    mPlaintextBytesRead(0)
@ -195,6 +196,13 @@ nsNSSSocketInfo::GetSSLVersionUsed(int16_t* aSSLVersionUsed)
  return NS_OK;
 }

+NS_IMETHODIMP
+nsNSSSocketInfo::GetMACAlgorithmUsed(int16_t* aMac)
+{
+  *aMac = mMACAlgorithmUsed;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNSSSocketInfo::GetRememberClientAuthCertificate(bool* aRemember)
 {
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@ -111,6 +111,8 @@ public:
    mSSLVersionUsed = version;
  }

+  void SetMACAlgorithmUsed(int16_t mac) { mMACAlgorithmUsed = mac; }
+
 protected:
  virtual ~nsNSSSocketInfo();

@ -144,6 +146,7 @@ private:
  int16_t mKEAExpected;
  uint32_t mKEAKeyBits;
  int16_t mSSLVersionUsed;
+  int16_t mMACAlgorithmUsed;

  uint32_t mProviderFlags;
  mozilla::TimeStamp mSocketCreationTimestamp;