Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-08 02:14:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1546816 - Part 1-1: Remove MITM_OK flag and bypassAuthentication r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D45019

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Kershaw Chang 2019-09-09 13:46:45 +00:00
parent 7218b30b4c
commit 487ae96c4a
8 changed files with 9 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
netwerk/base/FuzzySecurityInfo.cpp
View File

@ -234,12 +234,6 @@ FuzzySecurityInfo::GetClientCertSent(bool* arg) {
return NS_OK;
}
NS_IMETHODIMP
FuzzySecurityInfo::GetBypassAuthentication(bool* arg) {
*arg = false;
return NS_OK;
}
NS_IMETHODIMP
FuzzySecurityInfo::GetFailedVerification(bool* arg) {
*arg = false;

17
netwerk/base/nsISocketTransport.idl
View File

@ -223,26 +223,19 @@ interface nsISocketTransport : nsITransport
*/
const unsigned long DISABLE_RFC1918 = (1 << 5);
/**
* This flag is an explicit opt-in that allows a normally secure socket
* provider to use, at its discretion, an insecure algorithm. e.g.
* a TLS socket without authentication.
*/
const unsigned long MITM_OK = (1 << 6);
/**
* If set, do not use newer protocol features that might have interop problems
* on the Internet. Intended only for use with critical infra like the updater.
* default is false.
*/
const unsigned long BE_CONSERVATIVE = (1 << 7);
const unsigned long BE_CONSERVATIVE = (1 << 6);
/**
* If set, do not use TRR for resolving the host name. Intended only for
* retries or other scenarios when TRR is deemed likely to have returned a
* wrong adddress.
*/
const unsigned long DISABLE_TRR = (1 << 8);
const unsigned long DISABLE_TRR = (1 << 7);
/**
* Values for the connectionFlags
@ -251,19 +244,19 @@ interface nsISocketTransport : nsITransport
* cached entry immediately while the new resolve is being done to avoid
* other users from using stale content in the mean time.
*/
const unsigned long REFRESH_CACHE = (1 << 9);
const unsigned long REFRESH_CACHE = (1 << 8);
/**
* If this flag is set then it means that if connecting the preferred ip
* family has failed, retry with the oppsite one once more.
*/
const unsigned long RETRY_WITH_DIFFERENT_IP_FAMILY = (1 << 10);
const unsigned long RETRY_WITH_DIFFERENT_IP_FAMILY = (1 << 9);
/**
* If we know that a server speaks only tls <1.3 there is no need to try
* to use esni and query dns for esni keys.
*/
const unsigned long DONT_TRY_ESNI = (1 << 11);
const unsigned long DONT_TRY_ESNI = (1 << 10);
/**
* An opaque flags for non-standard behavior of the TLS system.

3
netwerk/base/nsSocketTransport2.cpp
View File

@ -1134,9 +1134,6 @@ nsresult nsSocketTransport::BuildSocket(PRFileDesc*& fd, bool& proxyTransparent,
if (mConnectionFlags & nsISocketTransport::NO_PERMANENT_STORAGE)
controlFlags |= nsISocketProvider::NO_PERMANENT_STORAGE;
if (mConnectionFlags & nsISocketTransport::MITM_OK)
controlFlags |= nsISocketProvider::MITM_OK;
if (mConnectionFlags & nsISocketTransport::BE_CONSERVATIVE)
controlFlags |= nsISocketProvider::BE_CONSERVATIVE;

10
netwerk/socket/nsISSLSocketControl.idl
View File

@ -149,16 +149,10 @@ interface nsISSLSocketControl : nsISupports {
*/
[infallible] readonly attribute boolean clientCertSent;
/**
* bypassAuthentication is true if the server certificate checks are
* not be enforced. This is to enable non-secure transport over TLS.
*/
[infallible] readonly attribute boolean bypassAuthentication;
/*
* failedVerification is true if any enforced certificate checks have failed.
* Connections that have not yet tried to verify, have verifications bypassed,
* or are using acceptable exceptions will all return false.
* Connections that have not yet tried to verify, or are using acceptable
* exceptions will all return false.
*/
[infallible] readonly attribute boolean failedVerification;

9
netwerk/socket/nsISocketProvider.idl
View File

@ -105,17 +105,10 @@ interface nsISocketProvider : nsISupports
*/
const unsigned long NO_PERMANENT_STORAGE = 1 << 2;
/**
* This flag is an explicit opt-in that allows a normally secure socket
* provider to use, at its discretion, an insecure algorithm. e.g.
* a TLS socket without authentication.
*/
const unsigned long MITM_OK = 1 << 3;
/**
* If set, do not use newer protocol features that might have interop problems
* on the Internet. Intended only for use with critical infra like the updater.
* default is false.
*/
const unsigned long BE_CONSERVATIVE = 1 << 4;
const unsigned long BE_CONSERVATIVE = 1 << 3;
};

8
security/manager/ssl/SSLServerCertVerification.cpp
View File

@ -1563,14 +1563,6 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
if (BlockServerCertChangeForSpdy(socketInfo, serverCert) != SECSuccess)
return SECFailure;
nsCOMPtr<nsISSLSocketControl> sslSocketControl = do_QueryInterface(
NS_ISUPPORTS_CAST(nsITransportSecurityInfo*, socketInfo));
if (sslSocketControl && sslSocketControl->GetBypassAuthentication()) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("[%p] Bypass Auth in AuthCertificateHook\n", fd));
return SECSuccess;
}
bool onSTSThread;
nsresult nrv;
nsCOMPtr<nsIEventTarget> sts =

22
security/manager/ssl/nsNSSIOLayer.cpp
View File

@ -136,7 +136,6 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags,
mKEAKeyBits(0),
mSSLVersionUsed(nsISSLSocketControl::SSL_VERSION_UNKNOWN),
mMACAlgorithmUsed(nsISSLSocketControl::SSL_MAC_UNKNOWN),
mBypassAuthentication(false),
mProviderFlags(providerFlags),
mProviderTlsFlags(providerTlsFlags),
mSocketCreationTimestamp(TimeStamp::Now()),
@ -213,12 +212,6 @@ nsNSSSocketInfo::GetClientCertSent(bool* arg) {
return NS_OK;
}
NS_IMETHODIMP
nsNSSSocketInfo::GetBypassAuthentication(bool* arg) {
*arg = mBypassAuthentication;
return NS_OK;
}
NS_IMETHODIMP
nsNSSSocketInfo::GetFailedVerification(bool* arg) {
*arg = mFailedVerification;
@ -494,12 +487,6 @@ nsNSSSocketInfo::TestJoinConnection(const nsACString& npnProtocol,
// Make sure NPN has been completed and matches requested npnProtocol
if (!mNPNCompleted || !mNegotiatedNPN.Equals(npnProtocol)) return NS_OK;
if (mBypassAuthentication) {
// An unauthenticated connection does not know whether or not it
// is acceptable for a particular hostname
return NS_OK;
}
IsAcceptableForHost(hostname, _retval); // sets _retval
return NS_OK;
}
@ -2194,11 +2181,7 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
SSL_GetClientAuthDataHook(
sslSock, (SSLGetClientAuthData)nsNSS_SSLGetClientAuthData, infoObject);
}
if (flags & nsISocketProvider::MITM_OK) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("[%p] nsSSLIOLayerImportFD: bypass authentication flag\n", fd));
infoObject->SetBypassAuthentication(true);
}
if (SECSuccess !=
SSL_AuthCertificateHook(sslSock, AuthCertificateHook, infoObject)) {
MOZ_ASSERT_UNREACHABLE("Failed to configure AuthCertificateHook");
@ -2368,9 +2351,6 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
if (flags & nsISocketProvider::NO_PERMANENT_STORAGE) {
peerId.AppendLiteral("private:");
}
if (flags & nsISocketProvider::MITM_OK) {
peerId.AppendLiteral("bypassAuth:");
}
if (flags & nsISocketProvider::BE_CONSERVATIVE) {
peerId.AppendLiteral("beConservative:");
}

7
security/manager/ssl/nsNSSIOLayer.h
View File

@ -102,12 +102,6 @@ class nsNSSSocketInfo final : public mozilla::psm::TransportSecurityInfo,
void SetKEAKeyBits(uint32_t keaBits) { mKEAKeyBits = keaBits; }
void SetBypassAuthentication(bool val) {
if (!mHandshakeCompleted) {
mBypassAuthentication = val;
}
}
void SetSSLVersionUsed(int16_t version) { mSSLVersionUsed = version; }
void SetMACAlgorithmUsed(int16_t mac) { mMACAlgorithmUsed = mac; }
@ -206,7 +200,6 @@ class nsNSSSocketInfo final : public mozilla::psm::TransportSecurityInfo,
uint32_t mKEAKeyBits;
int16_t mSSLVersionUsed;
int16_t mMACAlgorithmUsed;
bool mBypassAuthentication;
uint32_t mProviderFlags;
uint32_t mProviderTlsFlags;