wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1123020 - Remove options to allow unrestricted renegotiation. r=keeler

Browse Source
This commit is contained in:
Masatoshi Kimura 2015-01-29 21:04:26 +09:00
parent d9b62363ee
commit 90c7a6b8f8
4 changed files with 6 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
netwerk/base/security-prefs.js
View File

@ -14,8 +14,6 @@ pref("security.tls.version.fallback-limit", 3);
# bug 1126654, www.gamers-onlineshop.jp
pref("security.tls.insecure_fallback_hosts", "www.kredodirect.com.ua,web3.secureinternetbank.com,cmypage.kuronekoyamato.co.jp,www.timewarnercable.com,wayfarer.timewarnercable.com,www.animate-onlineshop.jp,www.gamers-onlineshop.jp");
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", false);
pref("security.ssl.renego_unrestricted_hosts", "");
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
pref("security.ssl.require_safe_negotiation", false);
pref("security.ssl.warn_missing_rfc5746", 1);

17
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -734,7 +734,6 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut,
static const int32_t OCSP_ENABLED_DEFAULT = 1;
static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false;
static const bool FALSE_START_ENABLED_DEFAULT = true;
static const bool NPN_ENABLED_DEFAULT = true;
static const bool ALPN_ENABLED_DEFAULT = false;
@ -1054,13 +1053,7 @@ nsNSSComponent::InitializeNSS()
REQUIRE_SAFE_NEGOTIATION_DEFAULT);
SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
bool allowUnrestrictedRenego =
Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
allowUnrestrictedRenego ?
SSL_RENEGOTIATE_UNRESTRICTED :
SSL_RENEGOTIATE_REQUIRES_XTN);
SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_REQUIRES_XTN);
SSL_OptionSetDefault(SSL_ENABLE_FALSE_START,
Preferences::GetBool("security.ssl.enable_false_start",
@ -1337,14 +1330,6 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
Preferences::GetBool("security.ssl.require_safe_negotiation",
REQUIRE_SAFE_NEGOTIATION_DEFAULT);
SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
} else if (prefName.EqualsLiteral("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
bool allowUnrestrictedRenego =
Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
allowUnrestrictedRenego ?
SSL_RENEGOTIATE_UNRESTRICTED :
SSL_RENEGOTIATE_REQUIRES_XTN);
} else if (prefName.EqualsLiteral("security.ssl.enable_false_start")) {
SSL_OptionSetDefault(SSL_ENABLE_FALSE_START,
Preferences::GetBool("security.ssl.enable_false_start",

40
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -678,7 +678,6 @@ void nsSSLIOLayerHelpers::Cleanup()
{
MutexAutoLock lock(mutex);
mTLSIntoleranceInfo.Clear();
mRenegoUnrestrictedSites.Clear();
mInsecureFallbackSites.Clear();
}
@ -1662,11 +1661,7 @@ PrefObserver::Observe(nsISupports* aSubject, const char* aTopic,
if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
NS_ConvertUTF16toUTF8 prefName(someData);
if (prefName.EqualsLiteral("security.ssl.renego_unrestricted_hosts")) {
nsCString unrestrictedHosts;
Preferences::GetCString("security.ssl.renego_unrestricted_hosts", &unrestrictedHosts);
mOwner->setSiteList(mOwner->mRenegoUnrestrictedSites, unrestrictedHosts);
} else if (prefName.EqualsLiteral("security.ssl.treat_unsafe_negotiation_as_broken")) {
if (prefName.EqualsLiteral("security.ssl.treat_unsafe_negotiation_as_broken")) {
bool enabled;
Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
mOwner->setTreatUnsafeNegotiationAsBroken(enabled);
@ -1712,8 +1707,6 @@ nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers()
// mPrefObserver will only be set if this->Init was called. The GTest tests
// do not call Init.
if (mPrefObserver) {
Preferences::RemoveObserver(mPrefObserver,
"security.ssl.renego_unrestricted_hosts");
Preferences::RemoveObserver(mPrefObserver,
"security.ssl.treat_unsafe_negotiation_as_broken");
Preferences::RemoveObserver(mPrefObserver,
@ -1772,10 +1765,6 @@ nsSSLIOLayerHelpers::Init()
nsSSLPlaintextLayerMethods.recv = PlaintextRecv;
}
nsCString unrestrictedHosts;
Preferences::GetCString("security.ssl.renego_unrestricted_hosts", &unrestrictedHosts);
setSiteList(mRenegoUnrestrictedSites, unrestrictedHosts);
bool enabled = false;
Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
setTreatUnsafeNegotiationAsBroken(enabled);
@ -1793,8 +1782,6 @@ nsSSLIOLayerHelpers::Init()
setInsecureFallbackSites(insecureFallbackHosts);
mPrefObserver = new PrefObserver(this);
Preferences::AddStrongObserver(mPrefObserver,
"security.ssl.renego_unrestricted_hosts");
Preferences::AddStrongObserver(mPrefObserver,
"security.ssl.treat_unsafe_negotiation_as_broken");
Preferences::AddStrongObserver(mPrefObserver,
@ -1826,18 +1813,16 @@ void
nsSSLIOLayerHelpers::clearStoredData()
{
MutexAutoLock lock(mutex);
mRenegoUnrestrictedSites.Clear();
mInsecureFallbackSites.Clear();
mTLSIntoleranceInfo.Clear();
}
void
nsSSLIOLayerHelpers::setSiteList(nsTHashtable<nsCStringHashKey>& sites,
const nsCString& str)
nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str)
{
MutexAutoLock lock(mutex);
sites.Clear();
mInsecureFallbackSites.Clear();
if (str.IsEmpty()) {
return;
@ -1848,18 +1833,11 @@ nsSSLIOLayerHelpers::setSiteList(nsTHashtable<nsCStringHashKey>& sites,
while (toker.hasMoreTokens()) {
const nsCSubstring& host = toker.nextToken();
if (!host.IsEmpty()) {
sites.PutEntry(host);
mInsecureFallbackSites.PutEntry(host);
}
}
}
bool
nsSSLIOLayerHelpers::isRenegoUnrestrictedSite(const nsCString& str)
{
MutexAutoLock lock(mutex);
return mRenegoUnrestrictedSites.Contains(str);
}
void
nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(bool broken)
{
@ -2649,16 +2627,6 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
return NS_ERROR_FAILURE;
}
nsSSLIOLayerHelpers& ioHelpers = infoObject->SharedState().IOLayerHelpers();
if (ioHelpers.isRenegoUnrestrictedSite(nsDependentCString(host))) {
if (SECSuccess != SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, false)) {
return NS_ERROR_FAILURE;
}
if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED)) {
return NS_ERROR_FAILURE;
}
}
// Set the Peer ID so that SSL proxy connections work properly and to
// separate anonymous and/or private browsing connections.
uint32_t flags = infoObject->GetProviderFlags();

9
security/manager/ssl/src/nsNSSIOLayer.h
View File

@ -186,7 +186,6 @@ public:
static PRIOMethods nsSSLIOLayerMethods;
static PRIOMethods nsSSLPlaintextLayerMethods;
nsTHashtable<nsCStringHashKey> mRenegoUnrestrictedSites;
bool mTreatUnsafeNegotiationAsBroken;
int32_t mWarnLevelMissingRFC5746;
@ -230,15 +229,9 @@ public:
/*out*/ StrongCipherStatus& strongCipherStatus);
PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port);
void setSiteList(nsTHashtable<nsCStringHashKey>& sites,
const nsCString& str);
bool isRenegoUnrestrictedSite(const nsCString& str);
void clearStoredData();
void loadVersionFallbackLimit();
void setInsecureFallbackSites(const nsCString& str)
{
setSiteList(mInsecureFallbackSites, str);
}
void setInsecureFallbackSites(const nsCString& str);
bool mFalseStartRequireNPN;
bool mFalseStartRequireForwardSecrecy;