Bug 942729, Part 2: Remove unused expected symmetric cipher mechanism, r=briansmith

--HG-- extra : rebase_source : 9630808b663d6a670c2e45d242177a640817f2ee
2024-11-28 23:31:56 +00:00 · 2013-11-25 18:12:40 -05:00 · 2013-11-25 18:12:40 -05:00 · a72d594dd7
commit a72d594dd7
parent da55c6102d
7 changed files with 10 additions and 76 deletions
--- a/netwerk/protocol/http/nsHttp.h
+++ b/netwerk/protocol/http/nsHttp.h
@ -71,7 +71,6 @@ typedef uint8_t nsHttpVersion;
 // These flags allow a transaction to use TLS false start with
 // weaker security profiles based on past history
 #define NS_HTTP_ALLOW_RSA_FALSESTART (1<<9)
-#define NS_HTTP_ALLOW_RC4_FALSESTART (1<<10)

 //-----------------------------------------------------------------------------
 // some default values
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -412,7 +412,7 @@ nsHttpChannel::SpeculativeConnect()

    gHttpHandler->SpeculativeConnect(
        mConnectionInfo, callbacks,
-        mCaps & (NS_HTTP_ALLOW_RSA_FALSESTART | NS_HTTP_ALLOW_RC4_FALSESTART | NS_HTTP_DISALLOW_SPDY));
+        mCaps & (NS_HTTP_ALLOW_RSA_FALSESTART | NS_HTTP_DISALLOW_SPDY));
 }

 void
@ -600,12 +600,6 @@ nsHttpChannel::RetrieveSSLOptions()
             "falsestart-rsa permission found\n", this));
        mCaps |= NS_HTTP_ALLOW_RSA_FALSESTART;
    }
-    rv = permMgr->TestPermissionFromPrincipal(principal, "falsestart-rc4", &perm);
-    if (NS_SUCCEEDED(rv) && perm == nsIPermissionManager::ALLOW_ACTION) {
-        LOG(("nsHttpChannel::RetrieveSSLOptions [this=%p] "
-             "falsestart-rc4 permission found\n", this));
-        mCaps |= NS_HTTP_ALLOW_RC4_FALSESTART;
-    }
 }

 nsresult
@ -1101,7 +1095,6 @@ nsHttpChannel::ProcessSSLInformation()
    // If this is HTTPS, record any use of RSA so that Key Exchange Algorithm
    // can be whitelisted for TLS False Start in future sessions. We could
    // do the same for DH but its rarity doesn't justify the lookup.
-    // Also do the same for RC4 symmetric ciphers.

    if (mCanceled || NS_FAILED(mStatus) || !mSecurityInfo ||
        !IsHTTPS() || mPrivateBrowsing)
@ -1128,7 +1121,6 @@ nsHttpChannel::ProcessSSLInformation()
        return;

    int16_t kea = ssl->GetKEAUsed();
-    int16_t symcipher = ssl->GetSymmetricCipherUsed();

    nsIPrincipal *principal = GetPrincipal();
    if (!principal)
@ -1156,17 +1148,6 @@ nsHttpChannel::ProcessSSLInformation()
    } else {
        permMgr->RemoveFromPrincipal(principal, "falsestart-rsa");
    }
-
-    if (symcipher == ssl_calg_rc4) {
-        permMgr->AddFromPrincipal(principal, "falsestart-rc4",
-                                  nsIPermissionManager::ALLOW_ACTION,
-                                  nsIPermissionManager::EXPIRE_TIME,
-                                  expireTime);
-        LOG(("nsHttpChannel::ProcessSSLInformation [this=%p] "
-             "falsestart-rc4 permission granted for this host\n", this));
-    } else {
-        permMgr->RemoveFromPrincipal(principal, "falsestart-rc4");
-    }
 }

 nsresult
--- a/netwerk/protocol/http/nsHttpConnection.cpp
+++ b/netwerk/protocol/http/nsHttpConnection.cpp
@ -391,12 +391,6 @@ nsHttpConnection::SetupSSL(uint32_t caps)
        ssl->SetKEAExpected(ssl_kea_rsa);
    }

-    if (caps & NS_HTTP_ALLOW_RC4_FALSESTART) {
-        LOG(("nsHttpConnection::SetupSSL %p "
-             ">= RC4 Key Exchange Expected\n", this));
-        ssl->SetSymmetricCipherExpected(ssl_calg_rc4);
-    }
-
    nsTArray<nsCString> protocolArray;

    // The first protocol is used as the fallback if none of the
--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@ -14,7 +14,7 @@ class nsCString;
 %}
 [ref] native nsCStringTArrayRef(nsTArray<nsCString>);

-[scriptable, builtinclass, uuid(c5eb9af4-238c-4fc6-bdec-d5ab5e7dce68)]
+[scriptable, builtinclass, uuid(5fe25c47-5462-4b85-b946-fc2e20c07cdf)]
 interface nsISSLSocketControl : nsISupports {
    attribute nsIInterfaceRequestor     notificationCallbacks;

@ -52,21 +52,18 @@ interface nsISSLSocketControl : nsISupports {
      in ACString hostname,
      in long port);

-    /* The Key Exchange Algorithm and Symmetric Cipher
-       is used when determining whether or not to do false start.
-       After a handshake is complete it can be read from *Used,
-       before a handshake is started it may be set through *Expected.
-       The values correspond to the SSLKEAType and SSLCipherAlgorithm
-       enums in NSS or the *_UNKNOWN constant defined below.
+    /* The Key Exchange Algorithm is used when determining whether or
+       not to do false start.
+       After a handshake is complete it can be read from KEAUsed,
+       before a handshake is started it may be set through KEAExpected.
+       The values correspond to the SSLKEAType enum in NSS or the
+       KEY_EXCHANGE_UNKNOWN constant defined below.
    */

    [infallible] readonly attribute short KEAUsed;
    [infallible] attribute short KEAExpected;
-    [infallible] readonly attribute short SymmetricCipherUsed;
-    [infallible] attribute short SymmetricCipherExpected;

    const short KEY_EXCHANGE_UNKNOWN = -1;
-    const short SYMMETRIC_CIPHER_UNKNOWN = -1;

    /*
     * The original flags from the socket provider.
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@ -1308,7 +1308,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
            ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
            : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
          cipherInfo.symCipher);
-      infoObject->SetSymmetricCipherUsed(cipherInfo.symCipher);
    }
  }

--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -133,8 +133,6 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags)
    mNotedTimeUntilReady(false),
    mKEAUsed(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
    mKEAExpected(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
-    mSymmetricCipherUsed(nsISSLSocketControl::SYMMETRIC_CIPHER_UNKNOWN),
-    mSymmetricCipherExpected(nsISSLSocketControl::SYMMETRIC_CIPHER_UNKNOWN),
    mProviderFlags(providerFlags),
    mSocketCreationTimestamp(TimeStamp::Now()),
    mPlaintextBytesRead(0)
@ -175,27 +173,6 @@ nsNSSSocketInfo::SetKEAExpected(int16_t aKea)
  return NS_OK;
 }

-NS_IMETHODIMP
-nsNSSSocketInfo::GetSymmetricCipherUsed(int16_t *aSymmetricCipher)
-{
-  *aSymmetricCipher = mSymmetricCipherUsed;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNSSSocketInfo::GetSymmetricCipherExpected(int16_t *aSymmetricCipher)
-{
-  *aSymmetricCipher = mSymmetricCipherExpected;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNSSSocketInfo::SetSymmetricCipherExpected(int16_t aSymmetricCipher)
-{
-  mSymmetricCipherExpected = aSymmetricCipher;
-  return NS_OK;
-}
-
 NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(bool *aRememberClientAuthCertificate)
 {
  NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@ -106,17 +106,6 @@ public:
    MOZ_ASSERT(NS_SUCCEEDED(rv));
    return result;
  }
-  void SetSymmetricCipherUsed(uint16_t symmetricCipher)
-  {
-    mSymmetricCipherUsed = symmetricCipher;
-  }
-  inline int16_t GetSymmetricCipherExpected() // infallible in nsISSLSocketControl
-  {
-    int16_t result;
-    mozilla::DebugOnly<nsresult> rv = GetSymmetricCipherExpected(&result);
-    MOZ_ASSERT(NS_SUCCEEDED(rv));
-    return result;
-  }

 private:
  PRFileDesc* mFd;
@ -143,12 +132,10 @@ private:
  bool      mSentClientCert;
  bool      mNotedTimeUntilReady;

-  // mKEA* and mSymmetricCipher* are used in false start detetermination
-  // values are from nsISSLSocketControl
+  // mKEA* are used in false start detetermination
+  // Values are from nsISSLSocketControl
  int16_t mKEAUsed;
  int16_t mKEAExpected;
-  int16_t mSymmetricCipherUsed;
-  int16_t mSymmetricCipherExpected;

  uint32_t mProviderFlags;
  mozilla::TimeStamp mSocketCreationTimestamp;