Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-17 07:15:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out changeset 4f793a75cd93 (bug 1724072) for geckoview failures . CLOSED TREE

Browse Source
This commit is contained in:
Narcis Beleuzu 2021-08-10 19:19:35 +03:00
parent 12bf02b2bc
commit 625f7a5de1
11 changed files with 52 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
browser/base/content/test/about/browser_aboutNetError.js
View File

@ -6,7 +6,6 @@
const SSL3_PAGE = "https://ssl3.example.com/";
const TLS10_PAGE = "https://tls1.example.com/";
const TLS12_PAGE = "https://tls12.example.com/";
const TRIPLEDES_PAGE = "https://3des.example.com/";
// This includes all the cipher suite prefs we have.
const CIPHER_SUITE_PREFS = [
@ -26,7 +25,7 @@ const CIPHER_SUITE_PREFS = [
"security.ssl3.rsa_aes_256_sha",
"security.ssl3.rsa_aes_128_gcm_sha256",
"security.ssl3.rsa_aes_256_gcm_sha384",
"security.ssl3.deprecated.rsa_des_ede3_sha",
"security.ssl3.rsa_des_ede3_sha",
"security.tls13.aes_128_gcm_sha256",
"security.tls13.aes_256_gcm_sha384",
"security.tls13.chacha20_poly1305_sha256",
@ -37,9 +36,6 @@ function resetPrefs() {
Services.prefs.clearUserPref("security.tls.version.max");
Services.prefs.clearUserPref("security.tls.version.enable-deprecated");
Services.prefs.clearUserPref("security.certerrors.tls.version.show-override");
CIPHER_SUITE_PREFS.forEach(suitePref => {
Services.prefs.clearUserPref(suitePref);
});
}
add_task(async function resetToDefaultConfig() {
@ -321,41 +317,3 @@ add_task(async function overrideUIPref() {
resetPrefs();
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});
// Test that ciphersuites that use 3DES (namely, TLS_RSA_WITH_3DES_EDE_CBC_SHA)
// can only be enabled when deprecated TLS is enabled.
add_task(async function onlyAllow3DESWithDeprecatedTLS() {
// By default, connecting to a server that only uses 3DES should fail.
await BrowserTestUtils.withNewTab(
{ gBrowser, url: "about:blank" },
async browser => {
BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
await BrowserTestUtils.waitForErrorPage(browser);
}
);
// Enabling deprecated TLS should also enable 3DES.
Services.prefs.setBoolPref("security.tls.version.enable-deprecated", true);
await BrowserTestUtils.withNewTab(
{ gBrowser, url: "about:blank" },
async browser => {
BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
await BrowserTestUtils.browserLoaded(browser, false, TRIPLEDES_PAGE);
}
);
// 3DES can be disabled separately.
Services.prefs.setBoolPref(
"security.ssl3.deprecated.rsa_des_ede3_sha",
false
);
await BrowserTestUtils.withNewTab(
{ gBrowser, url: "about:blank" },
async browser => {
BrowserTestUtils.loadURI(browser, TRIPLEDES_PAGE);
await BrowserTestUtils.waitForErrorPage(browser);
}
);
resetPrefs();
});

2
browser/components/enterprisepolicies/Policies.jsm
View File

@ -554,7 +554,7 @@ var Policies = {
}
if ("TLS_RSA_WITH_3DES_EDE_CBC_SHA" in param) {
setAndLockPref(
"security.ssl3.deprecated.rsa_des_ede3_sha",
"security.ssl3.rsa_des_ede3_sha",
!param.TLS_RSA_WITH_3DES_EDE_CBC_SHA
);
}

4
browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js
View File

@ -755,7 +755,7 @@ const POLICIES_TESTS = [
"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": true,
"security.ssl3.rsa_aes_128_sha": true,
"security.ssl3.rsa_aes_256_sha": true,
"security.ssl3.deprecated.rsa_des_ede3_sha": true,
"security.ssl3.rsa_des_ede3_sha": true,
"security.ssl3.rsa_aes_128_gcm_sha256": true,
"security.ssl3.rsa_aes_256_gcm_sha384": true,
},
@ -786,7 +786,7 @@ const POLICIES_TESTS = [
"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": false,
"security.ssl3.rsa_aes_128_sha": false,
"security.ssl3.rsa_aes_256_sha": false,
"security.ssl3.deprecated.rsa_des_ede3_sha": false,
"security.ssl3.rsa_des_ede3_sha": false,
"security.ssl3.rsa_aes_128_gcm_sha256": false,
"security.ssl3.rsa_aes_256_gcm_sha384": false,
},

BIN
build/pgo/certs/cert9.db
View File

Binary file not shown.

BIN
build/pgo/certs/key4.db
View File

Binary file not shown.

BIN
build/pgo/certs/mochitest.client
View File

Binary file not shown.

5
build/pgo/server-locations.txt
View File

@ -317,9 +317,10 @@ https://sha256ee.example.com:443 privileged,cer
# Hosts for imminent distrust warning tests
https://imminently-distrusted.example.com:443 privileged,cert=imminently_distrusted
# Hosts for ssl3/3des/tls1 warning tests
# Hosts for ssl3/rc4/tls1 warning tests
https://ssl3.example.com:443 privileged,ssl3
https://3des.example.com:443 privileged,3des,tls1,tls1_2
https://rc4.example.com:443 privileged,rc4
https://ssl3rc4.example.com:443 privileged,ssl3,rc4
https://tls1.example.com:443 privileged,tls1
https://tls11.example.com:443 privileged,tls1_1
https://tls12.example.com:443 privileged,tls1_2

2
modules/libpref/init/all.js
View File

@ -53,7 +53,7 @@ pref("security.ssl3.rsa_aes_128_sha", true);
pref("security.ssl3.rsa_aes_256_sha", true);
pref("security.ssl3.rsa_aes_128_gcm_sha256", true);
pref("security.ssl3.rsa_aes_256_gcm_sha384", true);
pref("security.ssl3.deprecated.rsa_des_ede3_sha", true);
pref("security.ssl3.rsa_des_ede3_sha", true);
pref("security.content.signature.root_hash",
"97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");

53
security/manager/ssl/nsNSSComponent.cpp
View File

@ -1024,7 +1024,7 @@ nsresult LoadLoadableCertsTask::LoadLoadableRoots() {
// Table of pref names and SSL cipher ID
typedef struct {
const char* pref;
int32_t id;
long id;
bool enabledByDefault;
} CipherPref;
@ -1075,13 +1075,12 @@ static const CipherPref sCipherPrefs[] = {
true}, // deprecated (RSA key exchange)
{"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA,
true}, // deprecated (RSA key exchange)
};
{"security.ssl3.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
true}, // deprecated (RSA key exchange, 3DES)
// These ciphersuites can only be enabled if deprecated versions of TLS are
// also enabled (via the preference "security.tls.version.enable-deprecated").
static const CipherPref sDeprecatedTLS1CipherPrefs[] = {
{"security.ssl3.deprecated.rsa_des_ede3_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA,
true},
// All the rest are disabled
{nullptr, 0} // end marker
};
// This function will convert from pref values like 1, 2, ...
@ -1358,25 +1357,6 @@ nsresult CipherSuiteChangeObserver::StartObserve() {
return NS_OK;
}
// Enables or disabled ciphersuites from deprecated versions of TLS as
// appropriate. If security.tls.version.enable-deprecated is true, these
// ciphersuites may be enabled, if the corresponding preference is true.
// Otherwise, these ciphersuites will be disabled.
void SetDeprecatedTLS1CipherPrefs() {
if (Preferences::GetBool("security.tls.version.enable-deprecated", false)) {
for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
bool cipherEnabled =
Preferences::GetBool(deprecatedTLS1CipherPref.pref,
deprecatedTLS1CipherPref.enabledByDefault);
SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, cipherEnabled);
}
} else {
for (const auto& deprecatedTLS1CipherPref : sDeprecatedTLS1CipherPrefs) {
SSL_CipherPrefSetDefault(deprecatedTLS1CipherPref.id, false);
}
}
}
nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
const char* aTopic,
const char16_t* someData) {
@ -1386,16 +1366,16 @@ nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
NS_ConvertUTF16toUTF8 prefName(someData);
// Look through the cipher table and set according to pref setting
for (const auto& cipherPref : sCipherPrefs) {
if (prefName.Equals(cipherPref.pref)) {
const CipherPref* const cp = sCipherPrefs;
for (size_t i = 0; cp[i].pref; ++i) {
if (prefName.Equals(cp[i].pref)) {
bool cipherEnabled =
Preferences::GetBool(cipherPref.pref, cipherPref.enabledByDefault);
SSL_CipherPrefSetDefault(cipherPref.id, cipherEnabled);
Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault);
SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled);
nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
break;
}
}
SetDeprecatedTLS1CipherPrefs();
nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
} else if (nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
Preferences::RemoveObserver(this, "security.");
MOZ_ASSERT(sObserver.get() == this);
@ -2749,14 +2729,13 @@ nsresult InitializeCipherSuite() {
}
// Now only set SSL/TLS ciphers we knew about at compile time
for (const auto& cipherPref : sCipherPrefs) {
const CipherPref* const cp = sCipherPrefs;
for (size_t i = 0; cp[i].pref; ++i) {
bool cipherEnabled =
Preferences::GetBool(cipherPref.pref, cipherPref.enabledByDefault);
SSL_CipherPrefSetDefault(cipherPref.id, cipherEnabled);
Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault);
SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled);
}
SetDeprecatedTLS1CipherPrefs();
// Enable ciphers for PKCS#12
SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);

2
testing/mochitest/runtests.py
View File

@ -684,7 +684,7 @@ class SSLTunnel:
"tls1_2",
"tls1_3",
"ssl3",
"3des",
"rc4",
"failHandshake",
):
config.write(

47
testing/mochitest/ssltunnel/ssltunnel.cpp
View File

@ -146,7 +146,7 @@ struct server_info_t {
PLHashTable* host_tls11_table;
PLHashTable* host_tls12_table;
PLHashTable* host_tls13_table;
PLHashTable* host_3des_table;
PLHashTable* host_rc4_table;
PLHashTable* host_failhandshake_table;
};
@ -245,7 +245,7 @@ void SignalShutdown() {
// available flags
enum {
USE_SSL3 = 1 << 0,
USE_3DES = 1 << 1,
USE_RC4 = 1 << 1,
FAIL_HANDSHAKE = 1 << 2,
USE_TLS1 = 1 << 3,
USE_TLS1_1 = 1 << 4,
@ -306,8 +306,8 @@ bool ReadConnectRequest(server_info_t* server_info, relayBuffer& buffer,
*flags |= USE_SSL3;
}
if (PL_HashTableLookup(server_info->host_3des_table, token)) {
*flags |= USE_3DES;
if (PL_HashTableLookup(server_info->host_rc4_table, token)) {
*flags |= USE_RC4;
}
if (PL_HashTableLookup(server_info->host_tls1_table, token)) {
@ -444,13 +444,20 @@ bool ConfigureSSLServerSocket(PRFileDesc* socket, server_info_t* si,
return false;
}
if (flags & USE_3DES) {
if (flags & USE_RC4) {
for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
uint16_t cipher_id = SSL_ImplementedCiphers[i];
if (cipher_id == TLS_RSA_WITH_3DES_EDE_CBC_SHA) {
SSL_CipherPrefSet(ssl_socket, cipher_id, true);
} else {
SSL_CipherPrefSet(ssl_socket, cipher_id, false);
switch (cipher_id) {
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
case TLS_RSA_WITH_RC4_128_SHA:
case TLS_RSA_WITH_RC4_128_MD5:
SSL_CipherPrefSet(ssl_socket, cipher_id, true);
break;
default:
SSL_CipherPrefSet(ssl_socket, cipher_id, false);
break;
}
}
}
@ -765,7 +772,7 @@ void HandleConnection(void* data) {
match_hostname, &match);
PL_HashTableEnumerateEntries(ci->server_info->host_tls13_table,
match_hostname, &match);
PL_HashTableEnumerateEntries(ci->server_info->host_3des_table,
PL_HashTableEnumerateEntries(ci->server_info->host_rc4_table,
match_hostname, &match);
PL_HashTableEnumerateEntries(
ci->server_info->host_failhandshake_table, match_hostname,
@ -1036,8 +1043,8 @@ PLHashTable* get_tls13_table(server_info_t* server) {
return server->host_tls13_table;
}
PLHashTable* get_3des_table(server_info_t* server) {
return server->host_3des_table;
PLHashTable* get_rc4_table(server_info_t* server) {
return server->host_rc4_table;
}
PLHashTable* get_failhandshake_table(server_info_t* server) {
@ -1253,11 +1260,11 @@ int processConfigLine(char* configLine) {
return 1;
}
server.host_3des_table =
server.host_rc4_table =
PL_NewHashTable(0, PL_HashString, PL_CompareStrings,
PL_CompareStrings, nullptr, nullptr);
;
if (!server.host_3des_table) {
if (!server.host_rc4_table) {
LOG_ERROR(("Internal, could not create hash table\n"));
return 1;
}
@ -1405,8 +1412,8 @@ int processConfigLine(char* configLine) {
return parseWeakCryptoConfig(keyword, _caret, get_tls13_table);
}
if (!strcmp(keyword, "3des")) {
return parseWeakCryptoConfig(keyword, _caret, get_3des_table);
if (!strcmp(keyword, "rc4")) {
return parseWeakCryptoConfig(keyword, _caret, get_rc4_table);
}
if (!strcmp(keyword, "failHandshake")) {
@ -1500,7 +1507,7 @@ int freeTLSHashItems(PLHashEntry* he, int i, void* arg) {
return HT_ENUMERATE_REMOVE;
}
int free3DESHashItems(PLHashEntry* he, int i, void* arg) {
int freeRC4HashItems(PLHashEntry* he, int i, void* arg) {
delete[](char*) he->key;
return HT_ENUMERATE_REMOVE;
}
@ -1655,10 +1662,10 @@ int main(int argc, char** argv) {
nullptr);
PL_HashTableEnumerateEntries(server.host_tls13_table, freeTLSHashItems,
nullptr);
PL_HashTableEnumerateEntries(server.host_3des_table, free3DESHashItems,
PL_HashTableEnumerateEntries(server.host_rc4_table, freeRC4HashItems,
nullptr);
PL_HashTableEnumerateEntries(server.host_failhandshake_table,
free3DESHashItems, nullptr);
freeRC4HashItems, nullptr);
PL_HashTableDestroy(server.host_cert_table);
PL_HashTableDestroy(server.host_clientauth_table);
PL_HashTableDestroy(server.host_redir_table);
@ -1667,7 +1674,7 @@ int main(int argc, char** argv) {
PL_HashTableDestroy(server.host_tls11_table);
PL_HashTableDestroy(server.host_tls12_table);
PL_HashTableDestroy(server.host_tls13_table);
PL_HashTableDestroy(server.host_3des_table);
PL_HashTableDestroy(server.host_rc4_table);
PL_HashTableDestroy(server.host_failhandshake_table);
}