From 1bdab6fe7bd7697866a903f09ed5b8da5b96ea2b Mon Sep 17 00:00:00 2001 From: Ryan VanderMeulen Date: Tue, 9 Dec 2014 14:00:47 -0500 Subject: [PATCH] Backed out changesets fb903f13f215, 9c5c712698e4, and 36d257ead3da (bug 1092835) for causing test_csp_allow_https_schemes.html permafail on Android 2.3. CLOSED TREE --- ...browser_webconsole_certificate_messages.js | 103 ++++++++---------- build/pgo/certs/cert8.db | Bin 65536 -> 65536 bytes build/pgo/certs/key3.db | Bin 110592 -> 110592 bytes build/pgo/server-locations.txt | 5 - .../en-US/chrome/security/security.properties | 5 - layout/printing/nsIPrintProgress.idl | 2 +- netwerk/protocol/http/nsHttpChannel.cpp | 21 ---- security/manager/ssl/src/nsNSSCallbacks.cpp | 29 ++--- toolkit/components/downloads/nsIDownload.idl | 2 +- uriloader/base/nsITransfer.idl | 2 +- uriloader/base/nsIWebProgressListener.idl | 16 +-- uriloader/base/nsIWebProgressListener2.idl | 2 +- 12 files changed, 59 insertions(+), 128 deletions(-) diff --git a/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js b/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js index 8f41d13222fa..d469b9411557 100644 --- a/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js +++ b/browser/devtools/webconsole/test/browser_webconsole_certificate_messages.js @@ -2,87 +2,72 @@ /* Any copyright is dedicated to the Public Domain. * http://creativecommons.org/publicdomain/zero/1.0/ */ -// Tests that the Web Console shows weak crypto warnings (SHA-1 Certificate, SSLv3, and RC4) +// Tests that the Web Console shows SHA-1 Certificate warnings -const TEST_URI_PATH = "/browser/browser/devtools/webconsole/test/test-certificate-messages.html"; -let gWebconsoleTests = [ - {url: "https://sha1ee.example.com" + TEST_URI_PATH, - name: "SHA1 warning displayed successfully", - warning: ["SHA-1"], nowarning: ["SSL 3.0", "RC4"]}, - {url: "https://ssl3.example.com" + TEST_URI_PATH, - name: "SSL3 warning displayed successfully", - pref: [["security.tls.version.min", 0]], - warning: ["SSL 3.0"], nowarning: ["SHA-1", "RC4"]}, - {url: "https://rc4.example.com" + TEST_URI_PATH, - name: "RC4 warning displayed successfully", - warning: ["RC4"], nowarning: ["SHA-1", "SSL 3.0"]}, - {url: "https://ssl3rc4.example.com" + TEST_URI_PATH, - name: "SSL3 and RC4 warning displayed successfully", - pref: [["security.tls.version.min", 0]], - warning: ["SSL 3.0", "RC4"], nowarning: ["SHA-1"]}, - {url: "https://sha256ee.example.com" + TEST_URI_PATH, - name: "SSL warnings appropriately not present", - warning: [], nowarning: ["SHA-1", "SSL 3.0", "RC4"]}, -]; +const TEST_BAD_URI = "https://sha1ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html"; +const TEST_GOOD_URI = "https://sha256ee.example.com/browser/browser/devtools/webconsole/test/test-certificate-messages.html"; const TRIGGER_MSG = "If you haven't seen ssl warnings yet, you won't"; let gHud = undefined; -let gCurrentTest; function test() { registerCleanupFunction(function () { gHud = null; }); - addTab("data:text/html;charset=utf8,Web Console weak crypto warnings test"); + addTab("data:text/html;charset=utf8,Web Console SHA-1 warning test"); browser.addEventListener("load", function _onLoad() { browser.removeEventListener("load", _onLoad, true); - openConsole(null, runTestLoop); + openConsole(null, loadBadDocument); }, true); } -function runTestLoop(theHud) { - gCurrentTest = gWebconsoleTests.shift(); - if (!gCurrentTest) { - finishTest(); - } - if (!gHud) { - gHud = theHud; - } - gHud.jsterm.clearOutput(); - browser.addEventListener("load", onLoad, true); - if (gCurrentTest.pref) { - SpecialPowers.pushPrefEnv({"set": gCurrentTest.pref}, - function() { - content.location = gCurrentTest.url; - }); - } else { - content.location = gCurrentTest.url; - } +function loadBadDocument(theHud) { + gHud = theHud; + browser.addEventListener("load", onBadLoad, true); + content.location = TEST_BAD_URI; } -function onLoad(aEvent) { - browser.removeEventListener("load", onLoad, true); +function onBadLoad(aEvent) { + browser.removeEventListener("load", onBadLoad, true); + testForWarningMessage(); +} + +function loadGoodDocument(theHud) { + gHud.jsterm.clearOutput() + browser.addEventListener("load", onGoodLoad, true); + content.location = TEST_GOOD_URI; +} + +function onGoodLoad(aEvent) { + browser.removeEventListener("load", onGoodLoad, true); + testForNoWarning(); +} + +function testForWarningMessage() { let aOutputNode = gHud.outputNode; waitForSuccess({ - name: gCurrentTest.name, + name: "SHA1 warning displayed successfully", validatorFn: function() { - if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) >= 0) { - for (let warning of gCurrentTest.warning) { - if (gHud.outputNode.textContent.indexOf(warning) < 0) { - return false; - } - } - for (let nowarning of gCurrentTest.nowarning) { - if (gHud.outputNode.textContent.indexOf(nowarning) >= 0) { - return false; - } - } - return true; - } + return gHud.outputNode.textContent.indexOf("SHA-1") > -1; }, - successFn: runTestLoop, + successFn: loadGoodDocument, + failureFn: finishTest, + }); +} + +function testForNoWarning() { + let aOutputNode = gHud.outputNode; + + waitForSuccess({ + name: "SHA1 warning appropriately missed", + validatorFn: function() { + if (gHud.outputNode.textContent.indexOf(TRIGGER_MSG) > -1) { + return gHud.outputNode.textContent.indexOf("SHA-1") == -1; + } + }, + successFn: finishTest, failureFn: finishTest, }); } diff --git a/build/pgo/certs/cert8.db b/build/pgo/certs/cert8.db index bfc718af6536e811bbfd6ed242da91f48df47f1a..9b3b738f0d97412a1b93f1443ee5dc1e8cf0acbd 100644 GIT binary patch delta 453 zcmV;$0XqJGfCPYm1h8U23gRTiB&;MGB&s8`Y(O9(vuk3I0+Wnk=d%N4LmM0~EtDvO zC|@W)D6%J?CwV7VC&(sOCNw0{BQzwj(ODX^yP81>lh9!}vpuO{1QY=P07C>o1V99L z02eTV1amNg1Kg7lq>33ZFflSQGBGeSS{Ds6G%+wRF)}eSF)%Y)lO19hlgy+YfA$fU zpH@|Te4X@ajG07mM01PL-9>m&ubM)zdQMd0MbzQaHcP9ej#J?u3^AEa$2FmhdJHIH zcECeXE(+o+Tfoe=G-fq-THBs1wk*7=TIxBn+uaR}Jgd4*^#yK_cdIf`c@n7|2y!5% zNqiUEe72AMJ%+VEDS^CJ-XMK-ANK+S0RRD`f&zOmf&zCif&y~}163Un1cCx;FoFVR zvxlW-0+W$z6MtuhG)w2_eH_;e0!TD!(2dghqK v$=bYu5yDLWTog|myuq{}9)o`hZ`s6u^0U`Yaz|NI$pI#lxTuD+o~>e115&vg delta 498 zcmZo@U}-QFCWnBB{)c1>(edE^7A3_CwS5vkf(s;8kddBtQLq_ZSk40?n zD0|jCW8OA-X(nby2FArrOq&gwnAQXFYBuIjSwWU2rbR%`yv_2f(wKCb1d5AujP+70 z5_1c3QuUJabDQ{!l1)$qgh5Jxf|K<&$kaDBGDPlZT>c>EW_?G%dOO+sr&^BB=i0UW z=F;-y;-8TZj`94;ztaCFKK#Yw9bF6?_*zU1_)qXLN={&MTPw5R=%yuB+YW!4sdv_U zKC{;p-NtD%+W(trxy`X?WGg$zzd|$T7N?_%XSm%Pll|}WoDZJ3b-$Hi)-9e1M-JEP dyMH`An|FUqg1GljQ0Z*K=z#R&+9U9{W{d5i_ delta 1702 zcmV;X23h%l;0A!;29P@eMX@}@{}u=UfDg(H$_vZ}Oa_(%76V`aN&sL0lQ9rVlVFer zm(Xkh6@SZ?sJnS*SSo0-&6d0<-$ekrxDEmV0R(~qfWvEWM|TiM`SgEDVawbqpF{32 zNdhJ~toPuwKkL3)sct03#a>p%-sCK@@aKNHC>KQZ-T>YIc`o+jPOcgy8KnK}mAl}d zJkB0eZeH5O&V*M)l&I1{BG12uJ?rz>>fv0Ajbk7b1M~MRExwbiV2T$T8s zRL)r|&Qjk&oHBRabL|pBWDM*LYz}qY02W=WahM+f>f^-#PKa z_~930PRk~^&Zwx!M-uI;Y9Dg#s z+_VA7%-n49$U1)E&_g;;-Bp_uDBz=(1$0p$J??xr*h{-(tILw#{N;MPyE68YHF(!) zc1Y}gXp8A*;rxnIE}ewbZM+!2e&CfeOoj>LajgJzk`d63kbDkUFU$FNy>scdf+dRs z8R%Ck`Me=isd5|=kbKvgGFD_Io_|JDgeZXq-!o--GR0eqcH4G%Mig>`7 zwI*(v(}|hjdmw-ib{b{dkt%nmbRMVs5P>}dZ(gHSYYM<6e+kA>&&Oqrf+05c>vZ;m z0iJz~s>n~4C$)RjCO`)6MQ%25oDKv401pBRf(gt9z6Q(& zvjH%^29scr2A9xm0Tq8g#FSzV#0GGw+cwKlN6d8l%8;P~0RaSp0)TekE^&e4TvV_M znfd24(kDA6YKHW^ld}9EfTZ5nAgT;5$VGhlx?^&anI-qs6w$Ts*> zo>S3~sbXVgO_we8R;^x%!AO8=ovr?o#I@={bJBns;MKB3f&S(e7gK$+`&j!?q4yB( z+ugjRPZCmfWT&HY=0uBkkh{5SQ{dz{+^Nv{On-Abw;Xf~KvIR+j*;d_C}S#D9{UP- z8q>vpBz0|2bX|YL1lw^m-}mTg<{ftuAo?p6o%0USMcB8Ao1I`MUkz?R0c7aYf4YnueePcNE`H$B1bSeBPy zc`Cq-o#gb!_mbgqOXS=H?oz5*N36jegAz6QSvbBfNtA!Y#d+95WGASN=1iKxLe;@B zO}agkK`l7tR#L`gt#f7*4&>#5^>7-a8!=ScIS2<`I(`q$Revf}g5UscVGsC^-R5`aH=s0A;MiA#?(GU% zgR|MNvvhLU&EP!CFXgaqjHS#@8?ZcF(jXe+k++YoAJ!$$52km-R&5)69s(9gi~AKt zu;4SkD$-9`!S*3whSX8~k%TAU4q^i3*(Py?Ab*=0(k1RP%hnK}TM5_RqiSf@@j{OJ w1qUIqwTbu=a8A`^w!$dvzFU~rbHXyOkH%QHh<4_Kn4Y#9lVFe=vmF}a1x#&AC;$Ke diff --git a/build/pgo/server-locations.txt b/build/pgo/server-locations.txt index a2f62c7ff7af..bd2eb68d4234 100644 --- a/build/pgo/server-locations.txt +++ b/build/pgo/server-locations.txt @@ -233,8 +233,3 @@ https://include-subdomains.pinning.example.com:443 privileged,cer # Hosts for sha1 console warning tests https://sha1ee.example.com:443 privileged,cert=sha1_end_entity https://sha256ee.example.com:443 privileged,cert=sha256_end_entity - -# Hosts for ssl3/rc4 console warning tests -https://ssl3.example.com:443 privileged,ssl3 -https://rc4.example.com:443 privileged,rc4 -https://ssl3rc4.example.com:443 privileged,ssl3,rc4 diff --git a/dom/locales/en-US/chrome/security/security.properties b/dom/locales/en-US/chrome/security/security.properties index 076229c0c71b..20918c85e0f2 100644 --- a/dom/locales/en-US/chrome/security/security.properties +++ b/dom/locales/en-US/chrome/security/security.properties @@ -19,8 +19,3 @@ LoadingMixedActiveContent=Loading mixed (insecure) active content on a secure pa LoadingMixedDisplayContent=Loading mixed (insecure) display content on a secure page "%1$S" # LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe" BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. - -# LOCALIZATION NOTE: Do not translate "SSL 3.0". -WeakProtocolVersionWarning=This site uses the protocol SSL 3.0 for encryption, which is deprecated and insecure. -# LOCALIZATION NOTE: Do not translate "RC4". -WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure. diff --git a/layout/printing/nsIPrintProgress.idl b/layout/printing/nsIPrintProgress.idl index 2edcd2ef3dfd..9d6488edbcf5 100644 --- a/layout/printing/nsIPrintProgress.idl +++ b/layout/printing/nsIPrintProgress.idl @@ -8,7 +8,7 @@ interface nsIDOMWindow; interface nsIObserver; interface nsIPrompt; -[scriptable, uuid(10b6ec13-09ed-4f7d-9df9-962c0d18306f)] +[scriptable, uuid(594fd36d-5b1b-412f-a74e-ab72099a5bb2)] interface nsIPrintProgress: nsIWebProgressListener { /* Open the progress dialog diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index 9b63b0169b7d..943e9781205b 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -48,8 +48,6 @@ #include "nsIScriptSecurityManager.h" #include "nsISSLStatus.h" #include "nsISSLStatusProvider.h" -#include "nsITransportSecurityInfo.h" -#include "nsIWebProgressListener.h" #include "LoadContextInfo.h" #include "netCore.h" #include "nsHttpTransaction.h" @@ -1218,25 +1216,6 @@ nsHttpChannel::ProcessSSLInformation() if (!sslstat) return; - nsCOMPtr securityInfo = - do_QueryInterface(mSecurityInfo); - uint32_t state; - if (securityInfo && - NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) && - (state & nsIWebProgressListener::STATE_IS_BROKEN)) { - // Send weak crypto warnings to the web console - if (state & nsIWebProgressListener::STATE_USES_SSL_3) { - nsString consoleErrorTag = NS_LITERAL_STRING("WeakProtocolVersionWarning"); - nsString consoleErrorCategory = NS_LITERAL_STRING("SSL"); - AddSecurityMessage(consoleErrorTag, consoleErrorCategory); - } - if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) { - nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning"); - nsString consoleErrorCategory = NS_LITERAL_STRING("SSL"); - AddSecurityMessage(consoleErrorTag, consoleErrorCategory); - } - } - // Send (SHA-1) signature algorithm errors to the web console nsCOMPtr cert; sslstat->GetServerCert(getter_AddRefs(cert)); diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp index 50a09400d75b..75b3935b1b33 100644 --- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -1172,8 +1172,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { infoObject->GetPort(), versions.max); - bool usesWeakProtocol = false; - bool usesWeakCipher = false; + bool weakEncryption = false; SSLChannelInfo channelInfo; rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)); MOZ_ASSERT(rv == SECSuccess); @@ -1192,9 +1191,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { sizeof cipherInfo); MOZ_ASSERT(rv == SECSuccess); if (rv == SECSuccess) { - usesWeakProtocol = - channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0; - usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4; + weakEncryption = + (channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0) || + (cipherInfo.symCipher == ssl_calg_rc4); // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4 Telemetry::Accumulate( @@ -1266,23 +1265,15 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { if (rv != SECSuccess) { siteSupportsSafeRenego = false; } - bool renegotiationUnsafe = !siteSupportsSafeRenego && - ioLayerHelpers.treatUnsafeNegotiationAsBroken(); - uint32_t state; - if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) { - state = nsIWebProgressListener::STATE_IS_BROKEN; - if (usesWeakProtocol) { - state |= nsIWebProgressListener::STATE_USES_SSL_3; - } - if (usesWeakCipher) { - state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO; - } + if (!weakEncryption && + (siteSupportsSafeRenego || + !ioLayerHelpers.treatUnsafeNegotiationAsBroken())) { + infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_SECURE | + nsIWebProgressListener::STATE_SECURE_HIGH); } else { - state = nsIWebProgressListener::STATE_IS_SECURE | - nsIWebProgressListener::STATE_SECURE_HIGH; + infoObject->SetSecurityState(nsIWebProgressListener::STATE_IS_BROKEN); } - infoObject->SetSecurityState(state); // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead, // we should set a flag on the channel that higher (UI) level code can check diff --git a/toolkit/components/downloads/nsIDownload.idl b/toolkit/components/downloads/nsIDownload.idl index f1870c6a2709..47eb48780856 100644 --- a/toolkit/components/downloads/nsIDownload.idl +++ b/toolkit/components/downloads/nsIDownload.idl @@ -24,7 +24,7 @@ interface nsIMIMEInfo; * nsIDownloadManager::DOWNLOAD_DIRTY * nsIDownloadManager::DOWNLOAD_BLOCKED_POLICY */ -[scriptable, uuid(59f00997-c2ab-4a8b-901d-ccb761cadddd)] +[scriptable, uuid(2258f465-656e-4566-87cb-f791dbaf0322)] interface nsIDownload : nsITransfer { /** diff --git a/uriloader/base/nsITransfer.idl b/uriloader/base/nsITransfer.idl index 3cf016c88e6c..da34d4ac490a 100644 --- a/uriloader/base/nsITransfer.idl +++ b/uriloader/base/nsITransfer.idl @@ -11,7 +11,7 @@ interface nsICancelable; interface nsIMIMEInfo; interface nsIFile; -[scriptable, uuid(9b729b43-0d74-4762-bf11-8cb88a88ead3)] +[scriptable, uuid(37ec75d3-97ad-4da8-afaa-eabe5b4afd73)] interface nsITransfer : nsIWebProgressListener2 { /** diff --git a/uriloader/base/nsIWebProgressListener.idl b/uriloader/base/nsIWebProgressListener.idl index b4d2fabb6160..6bb6811cd2bc 100644 --- a/uriloader/base/nsIWebProgressListener.idl +++ b/uriloader/base/nsIWebProgressListener.idl @@ -17,7 +17,7 @@ interface nsIURI; * nsIWebProgress instances. nsIWebProgress.idl describes the parent-child * relationship of nsIWebProgress instances. */ -[scriptable, uuid(90685740-e180-41f1-8394-441c470d5096)] +[scriptable, uuid(a9df523b-efe2-421e-9d8e-3d7f807dda4c)] interface nsIWebProgressListener : nsISupports { /** @@ -252,20 +252,6 @@ interface nsIWebProgressListener : nsISupports const unsigned long STATE_IDENTITY_EV_TOPLEVEL = 0x00100000; - /** - * Broken state flags - * - * These flags describe the reason of the broken state. - * - * STATE_USES_SSL_3 - * The topmost document uses SSL 3.0. - * - * STATE_USES_WEAK_CRYPTO - * The topmost document uses a weak cipher suite such as RC4. - */ - const unsigned long STATE_USES_SSL_3 = 0x01000000; - const unsigned long STATE_USES_WEAK_CRYPTO = 0x02000000; - /** * Notification indicating the state has changed for one of the requests * associated with aWebProgress. diff --git a/uriloader/base/nsIWebProgressListener2.idl b/uriloader/base/nsIWebProgressListener2.idl index a2b5c66da86f..87701f8d2cfe 100644 --- a/uriloader/base/nsIWebProgressListener2.idl +++ b/uriloader/base/nsIWebProgressListener2.idl @@ -7,7 +7,7 @@ /** * An extended version of nsIWebProgressListener. */ -[scriptable, uuid(19e9d920-c67e-406c-aeea-77ac5a5c908d)] +[scriptable, uuid(dde39de0-e4e0-11da-8ad9-0800200c9a66)] interface nsIWebProgressListener2 : nsIWebProgressListener { /** * Notification that the progress has changed for one of the requests