Backed out changesets fb903f13f215, 9c5c712698e4, and 36d257ead3da (bug 1092835) for causing test_csp_allow_https_schemes.html permafail on Android 2.3.

CLOSED TREE
This commit is contained in:
Ryan VanderMeulen 2014-12-09 14:00:47 -05:00
parent 131c9d3d17
commit 1bdab6fe7b
12 changed files with 59 additions and 128 deletions

View File

@ -2,87 +2,72 @@
/* Any copyright is dedicated to the Public Domain.
* http://creativecommons.org/publicdomain/zero/1.0/ */
// Tests that the Web Console shows weak crypto warnings (SHA-1 Certificate, SSLv3, and RC4)
// Tests that the Web Console shows SHA-1 Certificate warnings
const TEST_URI_PATH = "/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
let gWebconsoleTests = [
{url: "https://sha1ee.example.com" + TEST_URI_PATH,
name: "SHA1 warning displayed successfully",
warning: ["SHA-1"], nowarning: ["SSL 3.0", "RC4"]},
{url: "https://ssl3.example.com" + TEST_URI_PATH,
name: "SSL3 warning displayed successfully",
pref: [["security.tls.version.min", 0]],
warning: ["SSL 3.0"], nowarning: ["SHA-1", "RC4"]},
{url: "https://rc4.example.com" + TEST_URI_PATH,
name: "RC4 warning displayed successfully",
warning: ["RC4"], nowarning: ["SHA-1", "SSL 3.0"]},
{url: "https://ssl3rc4.example.com" + TEST_URI_PATH,
name: "SSL3 and RC4 warning displayed successfully",
pref: [["security.tls.version.min", 0]],
warning: ["SSL 3.0", "RC4"], nowarning: ["SHA-1"]},
{url: "https://sha256ee.example.com" + TEST_URI_PATH,
name: "SSL warnings appropriately not present",
warning: [], nowarning: ["SHA-1", "SSL 3.0", "RC4"]},
];
const TEST_BAD_URI = "https://sha1ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
const TEST_GOOD_URI = "https://sha256ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html";
const TRIGGER_MSG = "If you haven't seen ssl warnings yet, you won't";
let gHud = undefined;
let gCurrentTest;
function test() {
registerCleanupFunction(function () {
gHud = null;
});
addTab("data:text/html;charset=utf8,Web Console weak crypto warnings test");
addTab("data:text/html;charset=utf8,Web Console SHA-1 warning test");
browser.addEventListener("load", function _onLoad() {
browser.removeEventListener("load", _onLoad, true);
openConsole(null, runTestLoop);
openConsole(null, loadBadDocument);
}, true);
}
function runTestLoop(theHud) {
gCurrentTest = gWebconsoleTests.shift();
if (!gCurrentTest) {
finishTest();
}
if (!gHud) {
gHud = theHud;
}
gHud.jsterm.clearOutput();
browser.addEventListener("load", onLoad, true);
if (gCurrentTest.pref) {
SpecialPowers.pushPrefEnv({"set": gCurrentTest.pref},
function() {
content.location = gCurrentTest.url;
});
} else {
content.location = gCurrentTest.url;
}
function loadBadDocument(theHud) {
gHud = theHud;
browser.addEventListener("load", onBadLoad, true);
content.location = TEST_BAD_URI;
}
function onLoad(aEvent) {
browser.removeEventListener("load", onLoad, true);
function onBadLoad(aEvent) {
browser.removeEventListener("load", onBadLoad, true);
testForWarningMessage();
}
function loadGoodDocument(theHud) {
gHud.jsterm.clearOutput()
browser.addEventListener("load", onGoodLoad, true);
content.location = TEST_GOOD_URI;
}
function onGoodLoad(aEvent) {
browser.removeEventListener("load", onGoodLoad, true);
testForNoWarning();
}
function testForWarningMessage() {
let aOutputNode = gHud.outputNode;
waitForSuccess({
name: gCurrentTest.name,
name: "SHA1 warning displayed successfully",
validatorFn: function() {
if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) >= 0) {
for (let warning of gCurrentTest.warning) {
if (gHud.outputNode.textContent.indexOf(warning) < 0) {
return false;
}
}
for (let nowarning of gCurrentTest.nowarning) {
if (gHud.outputNode.textContent.indexOf(nowarning) >= 0) {
return false;
}
}
return true;
}
return gHud.outputNode.textContent.indexOf("SHA-1") > -1;
},
successFn: runTestLoop,
successFn: loadGoodDocument,
failureFn: finishTest,
});
}
function testForNoWarning() {
let aOutputNode = gHud.outputNode;
waitForSuccess({
name: "SHA1 warning appropriately missed",
validatorFn: function() {
if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) > -1) {
return gHud.outputNode.textContent.indexOf("SHA-1") == -1;
}
},
successFn: finishTest,
failureFn: finishTest,
});
}

Binary file not shown.

Binary file not shown.

View File

@ -233,8 +233,3 @@ https://include-subdomains.pinning.example.com:443 privileged,cer
# Hosts for sha1 console warning tests
https://sha1ee.example.com:443 privileged,cert=sha1_end_entity
https://sha256ee.example.com:443 privileged,cert=sha256_end_entity
# Hosts for ssl3/rc4 console warning tests
https://ssl3.example.com:443 privileged,ssl3
https://rc4.example.com:443 privileged,rc4
https://ssl3rc4.example.com:443 privileged,ssl3,rc4

View File

@ -19,8 +19,3 @@ LoadingMixedActiveContent=Loading mixed (insecure) active content on a secure pa
LoadingMixedDisplayContent=Loading mixed (insecure) display content on a secure page "%1$S"
# LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe"
BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
# LOCALIZATION NOTE: Do not translate "SSL 3.0".
WeakProtocolVersionWarning=This site uses the protocol SSL 3.0 for encryption, which is deprecated and insecure.
# LOCALIZATION NOTE: Do not translate "RC4".
WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure.

View File

@ -8,7 +8,7 @@ interface nsIDOMWindow;
interface nsIObserver;
interface nsIPrompt;
[scriptable, uuid(10b6ec13-09ed-4f7d-9df9-962c0d18306f)]
[scriptable, uuid(594fd36d-5b1b-412f-a74e-ab72099a5bb2)]
interface nsIPrintProgress: nsIWebProgressListener {
/* Open the progress dialog

View File

@ -48,8 +48,6 @@
#include "nsIScriptSecurityManager.h"
#include "nsISSLStatus.h"
#include "nsISSLStatusProvider.h"
#include "nsITransportSecurityInfo.h"
#include "nsIWebProgressListener.h"
#include "LoadContextInfo.h"
#include "netCore.h"
#include "nsHttpTransaction.h"
@ -1218,25 +1216,6 @@ nsHttpChannel::ProcessSSLInformation()
if (!sslstat)
return;
nsCOMPtr<nsITransportSecurityInfo> securityInfo =
do_QueryInterface(mSecurityInfo);
uint32_t state;
if (securityInfo &&
NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) &&
(state & nsIWebProgressListener::STATE_IS_BROKEN)) {
// Send weak crypto warnings to the web console
if (state & nsIWebProgressListener::STATE_USES_SSL_3) {
nsString consoleErrorTag = NS_LITERAL_STRING("WeakProtocolVersionWarning");
nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
AddSecurityMessage(consoleErrorTag, consoleErrorCategory);
}
if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) {
nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning");
nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");
AddSecurityMessage(consoleErrorTag, consoleErrorCategory);
}
}
// Send (SHA-1) signature algorithm errors to the web console
nsCOMPtr<nsIX509Cert> cert;
sslstat->GetServerCert(getter_AddRefs(cert));

View File

@ -1172,8 +1172,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
infoObject->GetPort(),
versions.max);
bool usesWeakProtocol = false;
bool usesWeakCipher = false;
bool weakEncryption = false;
SSLChannelInfo channelInfo;
rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
MOZ_ASSERT(rv == SECSuccess);
@ -1192,9 +1191,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
sizeof cipherInfo);
MOZ_ASSERT(rv == SECSuccess);
if (rv == SECSuccess) {
usesWeakProtocol =
channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0;
usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;
weakEncryption =
(channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0) ||
(cipherInfo.symCipher == ssl_calg_rc4);
// keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
Telemetry::Accumulate(
@ -1266,23 +1265,15 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
if (rv != SECSuccess) {
siteSupportsSafeRenego = false;
}
bool renegotiationUnsafe = !siteSupportsSafeRenego &&
ioLayerHelpers.treatUnsafeNegotiationAsBroken();
uint32_t state;
if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) {
state = nsIWebProgressListener::STATE_IS_BROKEN;
if (usesWeakProtocol) {
state |= nsIWebProgressListener::STATE_USES_SSL_3;
}
if (usesWeakCipher) {
state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO;
}
if (!weakEncryption &&
(siteSupportsSafeRenego ||
!ioLayerHelpers.treatUnsafeNegotiationAsBroken())) {
infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_SECURE |
nsIWebProgressListener::STATE_SECURE_HIGH);
} else {
state = nsIWebProgressListener::STATE_IS_SECURE |
nsIWebProgressListener::STATE_SECURE_HIGH;
infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_BROKEN);
}
infoObject->SetSecurityState(state);
// XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
// we should set a flag on the channel that higher (UI) level code can check

View File

@ -24,7 +24,7 @@ interface nsIMIMEInfo;
* nsIDownloadManager::DOWNLOAD_DIRTY
* nsIDownloadManager::DOWNLOAD_BLOCKED_POLICY
*/
[scriptable, uuid(59f00997-c2ab-4a8b-901d-ccb761cadddd)]
[scriptable, uuid(2258f465-656e-4566-87cb-f791dbaf0322)]
interface nsIDownload : nsITransfer {
/**

View File

@ -11,7 +11,7 @@ interface nsICancelable;
interface nsIMIMEInfo;
interface nsIFile;
[scriptable, uuid(9b729b43-0d74-4762-bf11-8cb88a88ead3)]
[scriptable, uuid(37ec75d3-97ad-4da8-afaa-eabe5b4afd73)]
interface nsITransfer : nsIWebProgressListener2 {
/**

View File

@ -17,7 +17,7 @@ interface nsIURI;
* nsIWebProgress instances. nsIWebProgress.idl describes the parent-child
* relationship of nsIWebProgress instances.
*/
[scriptable, uuid(90685740-e180-41f1-8394-441c470d5096)]
[scriptable, uuid(a9df523b-efe2-421e-9d8e-3d7f807dda4c)]
interface nsIWebProgressListener : nsISupports
{
/**
@ -252,20 +252,6 @@ interface nsIWebProgressListener : nsISupports
const unsigned long STATE_IDENTITY_EV_TOPLEVEL = 0x00100000;
/**
* Broken state flags
*
* These flags describe the reason of the broken state.
*
* STATE_USES_SSL_3
* The topmost document uses SSL 3.0.
*
* STATE_USES_WEAK_CRYPTO
* The topmost document uses a weak cipher suite such as RC4.
*/
const unsigned long STATE_USES_SSL_3 = 0x01000000;
const unsigned long STATE_USES_WEAK_CRYPTO = 0x02000000;
/**
* Notification indicating the state has changed for one of the requests
* associated with aWebProgress.

View File

@ -7,7 +7,7 @@
/**
* An extended version of nsIWebProgressListener.
*/
[scriptable, uuid(19e9d920-c67e-406c-aeea-77ac5a5c908d)]
[scriptable, uuid(dde39de0-e4e0-11da-8ad9-0800200c9a66)]
interface nsIWebProgressListener2 : nsIWebProgressListener {
/**
* Notification that the progress has changed for one of the requests