diff --git a/security/manager/ssl/WeakCryptoOverride.cpp b/security/manager/ssl/WeakCryptoOverride.cpp deleted file mode 100644 index e747a33008b..00000000000 --- a/security/manager/ssl/WeakCryptoOverride.cpp +++ /dev/null @@ -1,62 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=8 sts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "WeakCryptoOverride.h" - -#include "MainThreadUtils.h" -#include "SharedSSLState.h" - -using namespace mozilla; -using namespace mozilla::psm; - -NS_IMPL_ISUPPORTS(WeakCryptoOverride, - nsIWeakCryptoOverride) - -WeakCryptoOverride::WeakCryptoOverride() -{ -} - -WeakCryptoOverride::~WeakCryptoOverride() -{ -} - -NS_IMETHODIMP -WeakCryptoOverride::AddWeakCryptoOverride(const nsACString& aHostName, - bool aPrivate, bool aTemporary) -{ - if (!NS_IsMainThread()) { - return NS_ERROR_NOT_SAME_THREAD; - } - - SharedSSLState* sharedState = aPrivate ? PrivateSSLState() - : PublicSSLState(); - if (!sharedState) { - return NS_ERROR_NOT_AVAILABLE; - } - const nsPromiseFlatCString& host = PromiseFlatCString(aHostName); - sharedState->IOLayerHelpers().addInsecureFallbackSite(host, aTemporary); - - return NS_OK; -} - -NS_IMETHODIMP -WeakCryptoOverride::RemoveWeakCryptoOverride(const nsACString& aHostName, - int32_t aPort, bool aPrivate) -{ - if (!NS_IsMainThread()) { - return NS_ERROR_NOT_SAME_THREAD; - } - - SharedSSLState* sharedState = aPrivate ? PrivateSSLState() - : PublicSSLState(); - if (!sharedState) { - return NS_ERROR_NOT_AVAILABLE; - } - const nsPromiseFlatCString& host = PromiseFlatCString(aHostName); - sharedState->IOLayerHelpers().removeInsecureFallbackSite(host, aPort); - - return NS_OK; -} diff --git a/security/manager/ssl/WeakCryptoOverride.h b/security/manager/ssl/WeakCryptoOverride.h deleted file mode 100644 index fefee75ef95..00000000000 --- a/security/manager/ssl/WeakCryptoOverride.h +++ /dev/null @@ -1,35 +0,0 @@ -/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef WEAKCRYPTOOVERRIDE_H -#define WEAKCRYPTOOVERRIDE_H - -#include "nsIWeakCryptoOverride.h" -#include "nsWeakReference.h" - -namespace mozilla { -namespace psm { - -class WeakCryptoOverride final : public nsIWeakCryptoOverride -{ -public: - NS_DECL_ISUPPORTS - NS_DECL_NSIWEAKCRYPTOOVERRIDE - - WeakCryptoOverride(); - -protected: - ~WeakCryptoOverride(); -}; - -} // psm -} // mozilla - -#define NS_WEAKCRYPTOOVERRIDE_CID /* ffb06724-3c20-447c-8328-ae71513dd618 */ \ -{ 0xffb06724, 0x3c20, 0x447c, \ - { 0x83, 0x28, 0xae, 0x71, 0x51, 0x3d, 0xd6, 0x18 } } - -#endif diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build index 59a47bca666..fbad6cb4070 100644 --- a/security/manager/ssl/moz.build +++ b/security/manager/ssl/moz.build @@ -37,7 +37,6 @@ XPIDL_SOURCES += [ 'nsITokenDialogs.idl', 'nsITokenPasswordDialogs.idl', 'nsIUserCertPicker.idl', - 'nsIWeakCryptoOverride.idl', 'nsIX509Cert.idl', 'nsIX509CertDB.idl', 'nsIX509CertList.idl', @@ -127,7 +126,6 @@ UNIFIED_SOURCES += [ 'SharedSSLState.cpp', 'SSLServerCertVerification.cpp', 'TransportSecurityInfo.cpp', - 'WeakCryptoOverride.cpp', ] # nsNSSCertificateDB.cpp needs to include nscert.h before everything else. diff --git a/security/manager/ssl/nsIWeakCryptoOverride.idl b/security/manager/ssl/nsIWeakCryptoOverride.idl deleted file mode 100644 index 5b474c13d4f..00000000000 --- a/security/manager/ssl/nsIWeakCryptoOverride.idl +++ /dev/null @@ -1,45 +0,0 @@ -/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "nsISupports.idl" - -%{C++ -#define NS_WEAKCRYPTOOVERRIDE_CONTRACTID "@mozilla.org/security/weakcryptooverride;1" -%} - -/** - * This represents the fallback whitelist for - * weak crypto servers such as RC4-only. - */ -[scriptable, uuid(27b4d3df-8f15-4eb4-a35f-474e911b61e7)] -interface nsIWeakCryptoOverride : nsISupports { - /** - * Add a weak crypto override for the given hostname:port. - * Main thread only. - * - * @param aHostName The host (punycode) this mapping belongs to - * @param aPrivate The override info will used for the private browsing - * session and no information will be written to the disk. - * @param aTemporary The override info will not persist between sessions. - * Ignored if aPrivate is true. - */ - void addWeakCryptoOverride(in ACString aHostName, - in boolean aPrivate, - [optional] in boolean aTemporary); - - /** - * Remove a weak crypto override for the given hostname:port. - * Main thread only. - * - * @param aHostName The host (punycode) whose entry should be cleared. - * @param aPort The port whose entry should be cleared. - * @param aPrivate The override info will used for the private browsing - * session. - */ - void removeWeakCryptoOverride(in ACString aHostName, - in int32_t aPort, - in boolean aPrivate); -}; diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp index a553c61a341..3e14c3985c4 100644 --- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -1239,9 +1239,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { } else { state = nsIWebProgressListener::STATE_IS_SECURE | nsIWebProgressListener::STATE_SECURE_HIGH; - // we know this site no longer requires a weak cipher - ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(), - infoObject->GetPort()); } infoObject->SetSecurityState(state); diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index bee79c6ef12..4779b7c579e 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -1539,11 +1539,9 @@ PrefObserver::Observe(nsISupports* aSubject, const char* aTopic, } else if (prefName.EqualsLiteral("security.tls.version.fallback-limit")) { mOwner->loadVersionFallbackLimit(); } else if (prefName.EqualsLiteral("security.tls.insecure_fallback_hosts")) { - // Changes to the whitelist on the public side will update the pref. - // Don't propagate the changes to the private side. - if (mOwner->isPublic()) { - mOwner->initInsecureFallbackSites(); - } + nsCString insecureFallbackHosts; + Preferences::GetCString("security.tls.insecure_fallback_hosts", &insecureFallbackHosts); + mOwner->setInsecureFallbackSites(insecureFallbackHosts); } else if (prefName.EqualsLiteral("security.tls.insecure_fallback_hosts.use_static_list")) { mOwner->mUseStaticFallbackList = Preferences::GetBool("security.tls.insecure_fallback_hosts.use_static_list", true); @@ -1644,7 +1642,9 @@ nsSSLIOLayerHelpers::Init() Preferences::GetBool("security.ssl.false_start.require-npn", FALSE_START_REQUIRE_NPN_DEFAULT); loadVersionFallbackLimit(); - initInsecureFallbackSites(); + nsCString insecureFallbackHosts; + Preferences::GetCString("security.tls.insecure_fallback_hosts", &insecureFallbackHosts); + setInsecureFallbackSites(insecureFallbackHosts); mUseStaticFallbackList = Preferences::GetBool("security.tls.insecure_fallback_hosts.use_static_list", true); mUnrestrictedRC4Fallback = @@ -1707,102 +1707,6 @@ nsSSLIOLayerHelpers::setInsecureFallbackSites(const nsCString& str) } } -void -nsSSLIOLayerHelpers::initInsecureFallbackSites() -{ - MOZ_ASSERT(NS_IsMainThread()); - nsCString insecureFallbackHosts; - Preferences::GetCString("security.tls.insecure_fallback_hosts", - &insecureFallbackHosts); - setInsecureFallbackSites(insecureFallbackHosts); -} - -bool -nsSSLIOLayerHelpers::isPublic() const -{ - return this == &PublicSSLState()->IOLayerHelpers(); -} - -void -nsSSLIOLayerHelpers::addInsecureFallbackSite(const nsCString& hostname, - bool temporary) -{ - MOZ_ASSERT(NS_IsMainThread()); - { - MutexAutoLock lock(mutex); - if (mInsecureFallbackSites.Contains(hostname)) { - return; - } - mInsecureFallbackSites.PutEntry(hostname); - } - if (!isPublic() || temporary) { - return; - } - nsCString value; - Preferences::GetCString("security.tls.insecure_fallback_hosts", &value); - if (!value.IsEmpty()) { - value.Append(','); - } - value.Append(hostname); - Preferences::SetCString("security.tls.insecure_fallback_hosts", value); -} - -class FallbackPrefRemover final : public nsRunnable -{ -public: - explicit FallbackPrefRemover(const nsACString& aHost) - : mHost(aHost) - {} - NS_IMETHOD Run() override; -private: - nsCString mHost; -}; - -NS_IMETHODIMP -FallbackPrefRemover::Run() -{ - MOZ_ASSERT(NS_IsMainThread()); - nsCString oldValue; - Preferences::GetCString("security.tls.insecure_fallback_hosts", &oldValue); - nsCCharSeparatedTokenizer toker(oldValue, ','); - nsCString newValue; - while (toker.hasMoreTokens()) { - const nsCSubstring& host = toker.nextToken(); - if (host.Equals(mHost)) { - continue; - } - if (!newValue.IsEmpty()) { - newValue.Append(','); - } - newValue.Append(host); - } - Preferences::SetCString("security.tls.insecure_fallback_hosts", newValue); - return NS_OK; -} - -void -nsSSLIOLayerHelpers::removeInsecureFallbackSite(const nsACString& hostname, - uint16_t port) -{ - forgetIntolerance(hostname, port); - { - MutexAutoLock lock(mutex); - if (!mInsecureFallbackSites.Contains(hostname)) { - return; - } - mInsecureFallbackSites.RemoveEntry(hostname); - } - if (!isPublic()) { - return; - } - RefPtr runnable = new FallbackPrefRemover(hostname); - if (NS_IsMainThread()) { - runnable->Run(); - } else { - NS_DispatchToMainThread(runnable); - } -} - struct FallbackListComparator { explicit FallbackListComparator(const char* aTarget) diff --git a/security/manager/ssl/nsNSSIOLayer.h b/security/manager/ssl/nsNSSIOLayer.h index 0ec84072af0..965eca879a6 100644 --- a/security/manager/ssl/nsNSSIOLayer.h +++ b/security/manager/ssl/nsNSSIOLayer.h @@ -226,10 +226,6 @@ public: void clearStoredData(); void loadVersionFallbackLimit(); void setInsecureFallbackSites(const nsCString& str); - void initInsecureFallbackSites(); - bool isPublic() const; - void addInsecureFallbackSite(const nsCString& hostname, bool temporary); - void removeInsecureFallbackSite(const nsACString& hostname, uint16_t port); bool isInsecureFallbackSite(const nsACString& hostname); bool mFalseStartRequireNPN; diff --git a/security/manager/ssl/nsNSSModule.cpp b/security/manager/ssl/nsNSSModule.cpp index ea74d1f62a2..f0f84765031 100644 --- a/security/manager/ssl/nsNSSModule.cpp +++ b/security/manager/ssl/nsNSSModule.cpp @@ -4,44 +4,48 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include "CertBlocklist.h" -#include "nsCertOverrideService.h" -#include "nsCertPicker.h" -#include "nsCrypto.h" -#include "nsCryptoHash.h" -#include "nsCURILoader.h" -#include "nsDataSignatureVerifier.h" -#include "nsDOMCID.h" //For the NS_CRYPTO_CONTRACTID define -#include "nsEntropyCollector.h" -#include "nsICategoryManager.h" -#include "nsKeygenHandler.h" -#include "nsKeyModule.h" #include "mozilla/ModuleUtils.h" -#include "nsNetCID.h" -#include "nsNSSCertificate.h" -#include "nsNSSCertificateDB.h" -#include "nsNSSCertificateFakeTransport.h" + #include "nsNSSComponent.h" -#include "NSSErrorsService.h" -#include "nsNSSVersion.h" -#include "nsNTLMAuthModule.h" +#include "nsSSLSocketProvider.h" +#include "nsTLSSocketProvider.h" +#include "nsKeygenHandler.h" + +#include "nsSDR.h" + #include "nsPK11TokenDB.h" #include "nsPKCS11Slot.h" -#include "PSMContentListener.h" -#include "nsRandomGenerator.h" -#include "nsSDR.h" -#include "nsSecureBrowserUIImpl.h" -#include "nsSiteSecurityService.h" -#include "nsSSLSocketProvider.h" -#include "nsSSLStatus.h" -#include "nsTLSSocketProvider.h" -#include "TransportSecurityInfo.h" -#include "WeakCryptoOverride.h" -#include "nsXULAppAPI.h" - +#include "nsNSSCertificate.h" +#include "nsNSSCertificateFakeTransport.h" +#include "nsNSSCertificateDB.h" #ifdef MOZ_XUL #include "nsCertTree.h" #endif +#include "nsCrypto.h" +#include "nsCryptoHash.h" +//For the NS_CRYPTO_CONTRACTID define +#include "nsDOMCID.h" +#include "nsNetCID.h" +#include "nsCertPicker.h" +#include "nsCURILoader.h" +#include "nsICategoryManager.h" +#include "nsNTLMAuthModule.h" +#include "nsKeyModule.h" +#include "nsDataSignatureVerifier.h" +#include "nsCertOverrideService.h" +#include "nsRandomGenerator.h" +#include "nsSSLStatus.h" +#include "TransportSecurityInfo.h" +#include "NSSErrorsService.h" +#include "nsNSSVersion.h" +#include "CertBlocklist.h" +#include "nsEntropyCollector.h" +#include "nsSecureBrowserUIImpl.h" +#include "nsSiteSecurityService.h" + +#include "nsXULAppAPI.h" + +#include "PSMContentListener.h" #define NS_IS_PROCESS_DEFAULT \ (GeckoProcessType_Default == XRE_GetProcessType()) @@ -219,7 +223,6 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(nsEntropyCollector) NS_GENERIC_FACTORY_CONSTRUCTOR(nsSecureBrowserUIImpl) NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(CertBlocklist, Init) NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsSiteSecurityService, Init) -NS_GENERIC_FACTORY_CONSTRUCTOR(WeakCryptoOverride) NS_DEFINE_NAMED_CID(NS_NSSCOMPONENT_CID); NS_DEFINE_NAMED_CID(NS_SSLSOCKETPROVIDER_CID); @@ -253,7 +256,6 @@ NS_DEFINE_NAMED_CID(NS_ENTROPYCOLLECTOR_CID); NS_DEFINE_NAMED_CID(NS_SECURE_BROWSER_UI_CID); NS_DEFINE_NAMED_CID(NS_SITE_SECURITY_SERVICE_CID); NS_DEFINE_NAMED_CID(NS_CERT_BLOCKLIST_CID); -NS_DEFINE_NAMED_CID(NS_WEAKCRYPTOOVERRIDE_CID); static const mozilla::Module::CIDEntry kNSSCIDs[] = { { &kNS_NSSCOMPONENT_CID, false, nullptr, nsNSSComponentConstructor }, @@ -288,7 +290,6 @@ static const mozilla::Module::CIDEntry kNSSCIDs[] = { { &kNS_SECURE_BROWSER_UI_CID, false, nullptr, nsSecureBrowserUIImplConstructor }, { &kNS_SITE_SECURITY_SERVICE_CID, false, nullptr, nsSiteSecurityServiceConstructor }, { &kNS_CERT_BLOCKLIST_CID, false, nullptr, CertBlocklistConstructor}, - { &kNS_WEAKCRYPTOOVERRIDE_CID, false, nullptr, WeakCryptoOverrideConstructor }, { nullptr } }; @@ -324,7 +325,6 @@ static const mozilla::Module::ContractIDEntry kNSSContracts[] = { { NS_SECURE_BROWSER_UI_CONTRACTID, &kNS_SECURE_BROWSER_UI_CID }, { NS_SSSERVICE_CONTRACTID, &kNS_SITE_SECURITY_SERVICE_CID }, { NS_CERTBLOCKLIST_CONTRACTID, &kNS_CERT_BLOCKLIST_CID }, - { NS_WEAKCRYPTOOVERRIDE_CONTRACTID, &kNS_WEAKCRYPTOOVERRIDE_CID }, { nullptr } }; diff --git a/security/manager/ssl/nsSecureBrowserUIImpl.cpp b/security/manager/ssl/nsSecureBrowserUIImpl.cpp index 1aabc02aa5f..b930be9aded 100644 --- a/security/manager/ssl/nsSecureBrowserUIImpl.cpp +++ b/security/manager/ssl/nsSecureBrowserUIImpl.cpp @@ -31,7 +31,6 @@ #include "imgIRequest.h" #include "nsThreadUtils.h" #include "nsNetCID.h" -#include "nsNetUtil.h" #include "nsCRT.h" #include "nsIInterfaceRequestorUtils.h" #include "nsIProtocolHandler.h" diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js index 5bb6b1abef1..56022d020bf 100644 --- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -63,7 +63,6 @@ const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160; const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157; const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176; -const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2; const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12; const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17; const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132; diff --git a/security/manager/ssl/tests/unit/test_weak_crypto.js b/security/manager/ssl/tests/unit/test_weak_crypto.js deleted file mode 100644 index d93fe7c6213..00000000000 --- a/security/manager/ssl/tests/unit/test_weak_crypto.js +++ /dev/null @@ -1,262 +0,0 @@ -/* Any copyright is dedicated to the Public Domain. - http://creativecommons.org/publicdomain/zero/1.0/ */ - -"use strict"; - -// Tests the weak crypto override - -const TLS_RSA_WITH_RC4_128_MD5 = 0x0004; -const TLS_RSA_WITH_RC4_128_SHA = 0x0005; -const TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007; -const TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011; - -// Need profile dir to store the key / cert -do_get_profile(); -// Ensure PSM is initialized -Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports); - -const certService = Cc["@mozilla.org/security/local-cert-service;1"] - .getService(Ci.nsILocalCertService); -const certOverrideService = Cc["@mozilla.org/security/certoverride;1"] - .getService(Ci.nsICertOverrideService); -const weakCryptoOverride = Cc["@mozilla.org/security/weakcryptooverride;1"] - .getService(Ci.nsIWeakCryptoOverride); -const socketTransportService = - Cc["@mozilla.org/network/socket-transport-service;1"] - .getService(Ci.nsISocketTransportService); - -function getCert() { - let deferred = Promise.defer(); - certService.getOrCreateCert("tls-test", { - handleCert: function(c, rv) { - if (rv) { - deferred.reject(rv); - return; - } - deferred.resolve(c); - } - }); - return deferred.promise; -} - -function startServer(cert, rc4only) { - let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"] - .createInstance(Ci.nsITLSServerSocket); - tlsServer.init(-1, true, -1); - tlsServer.serverCert = cert; - - let input, output; - - let listener = { - onSocketAccepted: function(socket, transport) { - do_print("Accept TLS client connection"); - let connectionInfo = transport.securityInfo - .QueryInterface(Ci.nsITLSServerConnectionInfo); - connectionInfo.setSecurityObserver(listener); - input = transport.openInputStream(0, 0, 0); - output = transport.openOutputStream(0, 0, 0); - }, - onHandshakeDone: function(socket, status) { - do_print("TLS handshake done"); - - equal(status.tlsVersionUsed, Ci.nsITLSClientStatus.TLS_VERSION_1_2, - "Using TLS 1.2"); - let expectedCipher = rc4only ? "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" - : "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; - equal(status.cipherName, expectedCipher, - "Using expected cipher"); - equal(status.keyLength, 128, "Using 128-bit key"); - equal(status.macLength, rc4only ? 160 : 128, "Using MAC of expected length"); - - input.asyncWait({ - onInputStreamReady: function(input) { - NetUtil.asyncCopy(input, output); - } - }, 0, 0, Services.tm.currentThread); - }, - onStopListening: function() {} - }; - - tlsServer.setSessionCache(false); - tlsServer.setSessionTickets(false); - tlsServer.setRequestClientCertificate(Ci.nsITLSServerSocket.REQUEST_NEVER); - if (rc4only) { - let cipherSuites = [ - TLS_ECDHE_RSA_WITH_RC4_128_SHA, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - TLS_RSA_WITH_RC4_128_SHA, - TLS_RSA_WITH_RC4_128_MD5 - ]; - tlsServer.setCipherSuites(cipherSuites, cipherSuites.length); - } - - tlsServer.asyncListen(listener); - - return tlsServer.port; -} - -function storeCertOverride(port, cert) { - let overrideBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED | - Ci.nsICertOverrideService.ERROR_MISMATCH; - certOverrideService.rememberValidityOverride("127.0.0.1", port, cert, - overrideBits, true); -} - -function startClient(port, expectedResult, options = {}) { - let SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE; - let SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17; - let transport = - socketTransportService.createTransport(["ssl"], 1, "127.0.0.1", port, null); - if (options.isPrivate) { - transport.connectionFlags |= Ci.nsISocketTransport.NO_PERMANENT_STORAGE; - } - let input; - let output; - - let inputDeferred = Promise.defer(); - let outputDeferred = Promise.defer(); - - let handler = { - - onTransportStatus: function(transport, status) { - if (status === Ci.nsISocketTransport.STATUS_CONNECTED_TO) { - output.asyncWait(handler, 0, 0, Services.tm.currentThread); - } - }, - - onInputStreamReady: function(input) { - let errorCode = Cr.NS_OK; - try { - let data = NetUtil.readInputStreamToString(input, input.available()); - equal(data, "HELLO", "Echoed data received"); - input.close(); - output.close(); - } catch (e) { - errorCode = e.result; - } - try { - equal(errorCode, expectedResult, - "Actual and expected connection result should match"); - inputDeferred.resolve(); - } catch (e) { - inputDeferred.reject(e); - } - }, - - onOutputStreamReady: function(output) { - try { - output.write("HELLO", 5); - do_print("Output to server written"); - outputDeferred.resolve(); - input = transport.openInputStream(0, 0, 0); - input.asyncWait(handler, 0, 0, Services.tm.currentThread); - } catch (e) { - let errorCode = -1 * (e.result & 0xFFFF); - if (errorCode == SSL_ERROR_BAD_CERT_ALERT) { - do_print("Server doesn't like client cert"); - } - outputDeferred.reject(e); - } - } - - }; - - transport.setEventSink(handler, Services.tm.currentThread); - output = transport.openOutputStream(0, 0, 0); - - return Promise.all([inputDeferred.promise, outputDeferred.promise]); -} - -function run_test() { - Services.prefs.setBoolPref("security.tls.unrestricted_rc4_fallback", false); - run_next_test(); -} - -// for sanity check -add_task(function*() { - let cert = yield getCert(); - ok(!!cert, "Got self-signed cert"); - let port = startServer(cert, false); - storeCertOverride(port, cert); - yield startClient(port, Cr.NS_OK); - yield startClient(port, Cr.NS_OK, {isPrivate: true}); -}); - -add_task(function*() { - let cert = yield getCert(); - ok(!!cert, "Got self-signed cert"); - let port = startServer(cert, true); - storeCertOverride(port, cert); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP)); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP), - {isPrivate: true}); - - weakCryptoOverride.addWeakCryptoOverride("127.0.0.1", true); - // private browsing should not affect the permanent storage. - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - ""); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP)); - // The auto-retry on connection reset is implemented in our HTTP layer. - // So we will see the crafted NS_ERROR_NET_RESET when we use - // nsISocketTransport directly. - yield startClient(port, Cr.NS_ERROR_NET_RESET, {isPrivate: true}); - // retry manually to simulate the HTTP layer - yield startClient(port, Cr.NS_OK, {isPrivate: true}); - - weakCryptoOverride.removeWeakCryptoOverride("127.0.0.1", port, true); - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - ""); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP)); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP), - {isPrivate: true}); - - weakCryptoOverride.addWeakCryptoOverride("127.0.0.1", false, true); - // temporary override should not change the pref. - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - ""); - yield startClient(port, Cr.NS_ERROR_NET_RESET); - yield startClient(port, Cr.NS_OK); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP), - {isPrivate: true}); - - weakCryptoOverride.removeWeakCryptoOverride("127.0.0.1", port, false); - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - ""); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP)); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP), - {isPrivate: true}); - - weakCryptoOverride.addWeakCryptoOverride("127.0.0.1", false); - // permanent override should change the pref. - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - "127.0.0.1"); - yield startClient(port, Cr.NS_ERROR_NET_RESET); - yield startClient(port, Cr.NS_OK); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP), - {isPrivate: true}); - - weakCryptoOverride.removeWeakCryptoOverride("127.0.0.1", port, false); - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - ""); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP)); - yield startClient(port, getXPCOMStatusFromNSS(SSL_ERROR_NO_CYPHER_OVERLAP), - {isPrivate: true}); - - // add a host to the pref to prepare the next test - weakCryptoOverride.addWeakCryptoOverride("127.0.0.1", false); - yield startClient(port, Cr.NS_ERROR_NET_RESET); - yield startClient(port, Cr.NS_OK); - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - "127.0.0.1"); -}); - -add_task(function*() { - let cert = yield getCert(); - ok(!!cert, "Got self-signed cert"); - let port = startServer(cert, false); - storeCertOverride(port, cert); - yield startClient(port, Cr.NS_OK); - // Successful strong cipher will remove the host from the pref. - equal(Services.prefs.getCharPref("security.tls.insecure_fallback_hosts"), - ""); -}); diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini index a54b71a5686..b7e0c770fbf 100644 --- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -149,5 +149,3 @@ run-sequentially = hardcoded ports run-sequentially = hardcoded ports [test_certviewer_invalid_oids.js] skip-if = toolkit == 'android' || buildapp == 'b2g' - -[test_weak_crypto.js]