wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 799007: Remove support for low/weak/null cipher suites, r=honzab, r=dao

Browse Source 
--HG--
extra : rebase_source : 822ef336a5cdeb7d6693dbe46844a26465600854
This commit is contained in:
Brian Smith 2012-11-10 18:18:14 -08:00
parent 824cf41577
commit cb19bf16cd
22 changed files with 33 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
browser/app/profile/firefox.js
View File

@ -580,7 +580,6 @@ pref("network.protocol-handler.expose.nntp", false);
// Default security warning dialogs to show once.
pref("security.warn_entering_secure.show_once", false);
pref("security.warn_entering_weak.show_once", true);
pref("security.warn_leaving_secure.show_once", false);
pref("security.warn_viewing_mixed.show_once", true);
pref("security.warn_submit_insecure.show_once", false);
@ -1004,7 +1003,6 @@ pref("services.sync.prefs.sync.security.default_personal_cert", true);
pref("services.sync.prefs.sync.security.enable_ssl3", true);
pref("services.sync.prefs.sync.security.enable_tls", true);
pref("services.sync.prefs.sync.security.warn_entering_secure", true);
pref("services.sync.prefs.sync.security.warn_entering_weak", true);
pref("services.sync.prefs.sync.security.warn_leaving_secure", true);
pref("services.sync.prefs.sync.security.warn_submit_insecure", true);
pref("services.sync.prefs.sync.security.warn_viewing_mixed", true);

13
browser/base/content/browser.js
View File

@ -4279,20 +4279,13 @@ var XULBrowserWindow = {
const wpl = Components.interfaces.nsIWebProgressListener;
const wpl_security_bits = wpl.STATE_IS_SECURE |
wpl.STATE_IS_BROKEN |
wpl.STATE_IS_INSECURE |
wpl.STATE_SECURE_HIGH |
wpl.STATE_SECURE_MED |
wpl.STATE_SECURE_LOW;
wpl.STATE_IS_INSECURE;
var level;
switch (this._state & wpl_security_bits) {
case wpl.STATE_IS_SECURE | wpl.STATE_SECURE_HIGH:
case wpl.STATE_IS_SECURE:
level = "high";
break;
case wpl.STATE_IS_SECURE | wpl.STATE_SECURE_MED:
case wpl.STATE_IS_SECURE | wpl.STATE_SECURE_LOW:
level = "low";
break;
case wpl.STATE_IS_BROKEN:
level = "broken";
break;
@ -6679,7 +6672,7 @@ var gIdentityHandler = {
this.setMode(this.IDENTITY_MODE_CHROMEUI);
else if (state & nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL)
this.setMode(this.IDENTITY_MODE_IDENTIFIED);
else if (state & nsIWebProgressListener.STATE_SECURE_HIGH)
else if (state & nsIWebProgressListener.STATE_IS_SECURE)
this.setMode(this.IDENTITY_MODE_DOMAIN_VERIFIED);
else if (state & nsIWebProgressListener.STATE_IS_BROKEN)
this.setMode(this.IDENTITY_MODE_MIXED_CONTENT);

2
js/src/tests/e4x/Regress/regress-308111.js
View File

@ -33,7 +33,6 @@ var xml = <prefs>
<pref><name>security.ssl2.des_64</name></pref>
<pref><name>print.always_cache_old_pres</name></pref>
<pref><name>security.ssl3.rsa_des_sha</name></pref>
<pref><name>security.warn_entering_weak.show_once</name></pref>
<pref><name>network.proxy.http_port</name></pref>
<pref><name>browser.display.use_document_colors</name></pref>
<pref><name>browser.preferences.animateFadeIn</name></pref>
@ -825,7 +824,6 @@ var xml = <prefs>
<pref><name>network.proxy.gopher</name></pref>
<pref><name>ui.key.saveLink.shift</name></pref>
<pref><name>font.name.serif.ko</name></pref>
<pref><name>security.warn_entering_weak</name></pref>
<pref><name>font.name.sans-serif.th</name></pref>
<pref><name>capability.policy.mailnews.*.substringData.get</name></pref>
<pref><name>font.name.cursive.x-central-euro</name></pref>

1
js/src/tests/user.js
View File

@ -17,7 +17,6 @@ user_pref("javascript.allow.mailnews", true);
user_pref("javascript.options.showInConsole", true);
user_pref("layout.css.report_errors", true);
user_pref("security.warn_entering_secure", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_leaving_secure", false);
user_pref("security.warn_submit_insecure", false);
user_pref("security.warn_viewing_mixed", false);

2
mobile/android/chrome/content/browser.js
View File

@ -6288,7 +6288,7 @@ var IdentityHandler = {
if (aState & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL)
return this.IDENTITY_MODE_IDENTIFIED;
if (aState & Ci.nsIWebProgressListener.STATE_SECURE_HIGH)
if (aState & Ci.nsIWebProgressListener.STATE_IS_SECURE)
return this.IDENTITY_MODE_DOMAIN_VERIFIED;
return this.IDENTITY_MODE_UNKNOWN;

2
mobile/xul/chrome/content/browser.js
View File

@ -2133,7 +2133,7 @@ IdentityHandler.prototype = {
if (state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL)
this.setMode(this.IDENTITY_MODE_IDENTIFIED);
else if (state & Ci.nsIWebProgressListener.STATE_SECURE_HIGH)
else if (state & Ci.nsIWebProgressListener.STATE_IS_SECURE)
this.setMode(this.IDENTITY_MODE_DOMAIN_VERIFIED);
else
this.setMode(this.IDENTITY_MODE_UNKNOWN);

15
netwerk/base/public/security-prefs.js
View File

@ -18,12 +18,6 @@ pref("security.ssl3.rsa_rc4_128_md5", true);
pref("security.ssl3.rsa_rc4_128_sha", true);
pref("security.ssl3.rsa_fips_des_ede3_sha", true);
pref("security.ssl3.rsa_des_ede3_sha", true);
pref("security.ssl3.rsa_fips_des_sha", false);
pref("security.ssl3.rsa_des_sha", false);
pref("security.ssl3.rsa_1024_rc4_56_sha", false);
pref("security.ssl3.rsa_1024_des_cbc_sha", false);
pref("security.ssl3.rsa_rc4_40_md5", false);
pref("security.ssl3.rsa_rc2_40_md5", false);
pref("security.ssl3.dhe_rsa_camellia_256_sha", true);
pref("security.ssl3.dhe_dss_camellia_256_sha", true);
pref("security.ssl3.rsa_camellia_256_sha", true);
@ -37,31 +31,23 @@ pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", true);
pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", true);
pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
pref("security.ssl3.ecdhe_rsa_des_ede3_sha", true);
pref("security.ssl3.ecdhe_rsa_rc4_128_sha", true);
pref("security.ssl3.ecdhe_rsa_null_sha", false);
pref("security.ssl3.ecdh_ecdsa_aes_256_sha", true);
pref("security.ssl3.ecdh_ecdsa_aes_128_sha", true);
pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", true);
pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", true);
pref("security.ssl3.ecdh_ecdsa_null_sha", false);
pref("security.ssl3.ecdh_rsa_aes_256_sha", true);
pref("security.ssl3.ecdh_rsa_aes_128_sha", true);
pref("security.ssl3.ecdh_rsa_des_ede3_sha", true);
pref("security.ssl3.ecdh_rsa_rc4_128_sha", true);
pref("security.ssl3.ecdh_rsa_null_sha", false);
pref("security.ssl3.dhe_rsa_aes_128_sha", true);
pref("security.ssl3.dhe_dss_aes_128_sha", true);
pref("security.ssl3.rsa_aes_128_sha", true);
pref("security.ssl3.dhe_rsa_des_ede3_sha", true);
pref("security.ssl3.dhe_dss_des_ede3_sha", true);
pref("security.ssl3.dhe_rsa_des_sha", false);
pref("security.ssl3.dhe_dss_des_sha", false);
pref("security.ssl3.rsa_null_sha", false);
pref("security.ssl3.rsa_null_md5", false);
pref("security.ssl3.rsa_seed_sha", true);
pref("security.default_personal_cert", "Ask Every Time");
@ -69,7 +55,6 @@ pref("security.remember_cert_checkbox_default_setting", true);
pref("security.ask_for_password", 0);
pref("security.password_lifetime", 30);
pref("security.warn_entering_secure", false);
pref("security.warn_entering_weak", true);
pref("security.warn_leaving_secure", false);
pref("security.warn_viewing_mixed", true);
pref("security.warn_submit_insecure", false);

52
netwerk/protocol/http/HttpChannelChild.cpp
View File

@ -1324,50 +1324,6 @@ HttpChannelChild::GetAssociatedContentSecurity(
return true;
}
/* attribute unsigned long countSubRequestsHighSecurity; */
NS_IMETHODIMP
HttpChannelChild::GetCountSubRequestsHighSecurity(
int32_t *aSubRequestsHighSecurity)
{
nsCOMPtr<nsIAssociatedContentSecurity> assoc;
if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
return NS_OK;
return assoc->GetCountSubRequestsHighSecurity(aSubRequestsHighSecurity);
}
NS_IMETHODIMP
HttpChannelChild::SetCountSubRequestsHighSecurity(
int32_t aSubRequestsHighSecurity)
{
nsCOMPtr<nsIAssociatedContentSecurity> assoc;
if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
return NS_OK;
return assoc->SetCountSubRequestsHighSecurity(aSubRequestsHighSecurity);
}
/* attribute unsigned long countSubRequestsLowSecurity; */
NS_IMETHODIMP
HttpChannelChild::GetCountSubRequestsLowSecurity(
int32_t *aSubRequestsLowSecurity)
{
nsCOMPtr<nsIAssociatedContentSecurity> assoc;
if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
return NS_OK;
return assoc->GetCountSubRequestsLowSecurity(aSubRequestsLowSecurity);
}
NS_IMETHODIMP
HttpChannelChild::SetCountSubRequestsLowSecurity(
int32_t aSubRequestsLowSecurity)
{
nsCOMPtr<nsIAssociatedContentSecurity> assoc;
if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
return NS_OK;
return assoc->SetCountSubRequestsLowSecurity(aSubRequestsLowSecurity);
}
/* attribute unsigned long countSubRequestsBrokenSecurity; */
NS_IMETHODIMP
HttpChannelChild::GetCountSubRequestsBrokenSecurity(
@ -1418,19 +1374,15 @@ HttpChannelChild::Flush()
return NS_OK;
nsresult rv;
int32_t hi, low, broken, no;
int32_t broken, no;
rv = assoc->GetCountSubRequestsHighSecurity(&hi);
NS_ENSURE_SUCCESS(rv, rv);
rv = assoc->GetCountSubRequestsLowSecurity(&low);
NS_ENSURE_SUCCESS(rv, rv);
rv = assoc->GetCountSubRequestsBrokenSecurity(&broken);
NS_ENSURE_SUCCESS(rv, rv);
rv = assoc->GetCountSubRequestsNoSecurity(&no);
NS_ENSURE_SUCCESS(rv, rv);
if (mIPCOpen)
SendUpdateAssociatedContentSecurity(hi, low, broken, no);
SendUpdateAssociatedContentSecurity(broken, no);
return NS_OK;
}

6
netwerk/protocol/http/HttpChannelParent.cpp
View File

@ -314,14 +314,10 @@ HttpChannelParent::RecvSetCacheTokenCachedCharset(const nsCString& charset)
}
bool
HttpChannelParent::RecvUpdateAssociatedContentSecurity(const int32_t& high,
const int32_t& low,
const int32_t& broken,
HttpChannelParent::RecvUpdateAssociatedContentSecurity(const int32_t& broken,
const int32_t& no)
{
if (mAssociatedContentSecurity) {
mAssociatedContentSecurity->SetCountSubRequestsHighSecurity(high);
mAssociatedContentSecurity->SetCountSubRequestsLowSecurity(low);
mAssociatedContentSecurity->SetCountSubRequestsBrokenSecurity(broken);
mAssociatedContentSecurity->SetCountSubRequestsNoSecurity(no);
}

4
netwerk/protocol/http/HttpChannelParent.h
View File

@ -76,9 +76,7 @@ protected:
virtual bool RecvCancel(const nsresult& status);
virtual bool RecvRedirect2Verify(const nsresult& result,
const RequestHeaderTuples& changedHeaders);
virtual bool RecvUpdateAssociatedContentSecurity(const int32_t& high,
const int32_t& low,
const int32_t& broken,
virtual bool RecvUpdateAssociatedContentSecurity(const int32_t& broken,
const int32_t& no);
virtual bool RecvDocumentChannelCleanup();
virtual bool RecvMarkOfflineCacheEntryAsForeign();

4
netwerk/protocol/http/PHttpChannel.ipdl
View File

@ -61,9 +61,7 @@ parent:
SetCacheTokenCachedCharset(nsCString charset);
UpdateAssociatedContentSecurity(int32_t high,
int32_t low,
int32_t broken,
UpdateAssociatedContentSecurity(int32_t broken,
int32_t no);
Suspend();
Resume();

4
security/manager/boot/public/nsISecurityUITelemetry.idl
View File

@ -6,7 +6,7 @@
#include "nsISupports.idl"
[scriptable, uuid(39823a45-dd9e-4f8b-9b0a-0ad144eb0db6)]
[scriptable, uuid(8dad8f23-bdb5-458c-b38c-8eab77578e60)]
interface nsISecurityUITelemetry : nsISupports {
@ -29,7 +29,7 @@ const uint32_t WARNING_CONFIRM_ADDON_INSTALL_CLICK_THROUGH = 4;
*/
const uint32_t WARNING_ENTERING_SECURE_SITE = 5;
const uint32_t WARNING_ENTERING_WEAK_SITE = 6;
// removed WARNING_ENTERING_WEAK_SITE = 6;
const uint32_t WARNING_LEAVING_SECURE_SITE = 7;
const uint32_t WARNING_MIXED_CONTENT = 8;

15
security/manager/boot/public/nsISecurityWarningDialogs.idl
View File

@ -11,7 +11,7 @@ interface nsIInterfaceRequestor;
* Functions that display warnings for transitions between secure
* and insecure pages, posts to insecure servers etc.
*/
[scriptable, uuid(1c399d06-1dd2-11b2-bc58-c87cbcacdb78)]
[scriptable, uuid(ba1f7293-c633-4e4c-b3e8-ae2feedb3c09)]
interface nsISecurityWarningDialogs : nsISupports
{
/**
@ -26,19 +26,6 @@ interface nsISecurityWarningDialogs : nsISupports
*/
boolean confirmEnteringSecure(in nsIInterfaceRequestor ctx);
/**
* Inform the user that a transition
* from an insecure page
* or from a secure page
* to a weak security page
* is happening.
*
* @param ctx A user interface context.
*
* @return true if the user confirms to continue
*/
boolean confirmEnteringWeak(in nsIInterfaceRequestor ctx);
/**
* Inform the user that a transition
* from a secure page

124
security/manager/boot/src/nsSecureBrowserUIImpl.cpp
View File

@ -126,8 +126,6 @@ nsSecureBrowserUIImpl::nsSecureBrowserUIImpl()
, mNewToplevelIsEV(false)
, mNewToplevelSecurityStateKnown(true)
, mIsViewSource(false)
, mSubRequestsHighSecurity(0)
, mSubRequestsLowSecurity(0)
, mSubRequestsBrokenSecurity(0)
, mSubRequestsNoSecurity(0)
, mRestoreSubrequests(false)
@ -275,10 +273,6 @@ nsSecureBrowserUIImpl::MapInternalToExternalState(uint32_t* aState, lockIconStat
*aState = STATE_IS_BROKEN;
break;
case lis_low_security:
*aState = STATE_IS_SECURE | STATE_SECURE_LOW;
break;
case lis_high_security:
*aState = STATE_IS_SECURE | STATE_SECURE_HIGH;
break;
@ -557,17 +551,7 @@ nsSecureBrowserUIImpl::UpdateSubrequestMembers(nsISupports *securityInfo)
// the code above this line should run without a lock
ReentrantMonitorAutoEnter lock(mReentrantMonitor);
if (reqState & STATE_IS_SECURE) {
if (reqState & STATE_SECURE_LOW || reqState & STATE_SECURE_MED) {
PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
("SecureUI:%p: OnStateChange: subreq LOW\n", this));
++mSubRequestsLowSecurity;
} else {
PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
("SecureUI:%p: OnStateChange: subreq HIGH\n", this));
++mSubRequestsHighSecurity;
}
} else if (reqState & STATE_IS_BROKEN) {
if (reqState & STATE_IS_BROKEN) {
PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
("SecureUI:%p: OnStateChange: subreq BROKEN\n", this));
++mSubRequestsBrokenSecurity;
@ -934,18 +918,7 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
{
f -= nsIWebProgressListener::STATE_SECURE_HIGH;
info.Append("SECURE_HIGH ");
}
if (f & nsIWebProgressListener::STATE_SECURE_MED)
{
f -= nsIWebProgressListener::STATE_SECURE_MED;
info.Append("SECURE_MED ");
}
if (f & nsIWebProgressListener::STATE_SECURE_LOW)
{
f -= nsIWebProgressListener::STATE_SECURE_LOW;
info.Append("SECURE_LOW ");
}
if (f & nsIWebProgressListener::STATE_RESTORING)
} if (f & nsIWebProgressListener::STATE_RESTORING)
{
f -= nsIWebProgressListener::STATE_RESTORING;
info.Append("STATE_RESTORING ");
@ -1037,14 +1010,10 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
{
bool inProgress;
int32_t saveSubHigh;
int32_t saveSubLow;
int32_t saveSubBroken;
int32_t saveSubNo;
nsCOMPtr<nsIAssociatedContentSecurity> prevContentSecurity;
int32_t newSubHigh = 0;
int32_t newSubLow = 0;
int32_t newSubBroken = 0;
int32_t newSubNo = 0;
@ -1054,8 +1023,6 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
if (allowSecurityStateChange && !inProgress)
{
saveSubHigh = mSubRequestsHighSecurity;
saveSubLow = mSubRequestsLowSecurity;
saveSubBroken = mSubRequestsBrokenSecurity;
saveSubNo = mSubRequestsNoSecurity;
prevContentSecurity = do_QueryInterface(mCurrentToplevelSecurityInfo);
@ -1076,13 +1043,11 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
// before resetting our state, let's save information about
// sub element loads, so we can restore it later
prevContentSecurity->SetCountSubRequestsHighSecurity(saveSubHigh);
prevContentSecurity->SetCountSubRequestsLowSecurity(saveSubLow);
prevContentSecurity->SetCountSubRequestsBrokenSecurity(saveSubBroken);
prevContentSecurity->SetCountSubRequestsNoSecurity(saveSubNo);
prevContentSecurity->Flush();
PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Saving subs in START to %p as %d,%d,%d,%d\n",
this, prevContentSecurity.get(), saveSubHigh, saveSubLow, saveSubBroken, saveSubNo));
PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Saving subs in START to %p as %d,%d\n",
this, prevContentSecurity.get(), saveSubBroken, saveSubNo));
}
bool retrieveAssociatedState = false;
@ -1112,12 +1077,10 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
("SecureUI:%p: OnStateChange: start, loading old sub state\n", this
));
newContentSecurity->GetCountSubRequestsHighSecurity(&newSubHigh);
newContentSecurity->GetCountSubRequestsLowSecurity(&newSubLow);
newContentSecurity->GetCountSubRequestsBrokenSecurity(&newSubBroken);
newContentSecurity->GetCountSubRequestsNoSecurity(&newSubNo);
PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in START from %p to %d,%d,%d,%d\n",
this, newContentSecurity.get(), newSubHigh, newSubLow, newSubBroken, newSubNo));
PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in START from %p to %d,%d\n",
this, newContentSecurity.get(), newSubBroken, newSubNo));
}
}
else
@ -1137,8 +1100,6 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
if (allowSecurityStateChange && !inProgress)
{
ResetStateTracking();
mSubRequestsHighSecurity = newSubHigh;
mSubRequestsLowSecurity = newSubLow;
mSubRequestsBrokenSecurity = newSubBroken;
mSubRequestsNoSecurity = newSubNo;
mNewToplevelSecurityStateKnown = false;
@ -1243,25 +1204,19 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
mNewToplevelSecurityStateKnown = true;
}
int32_t subHigh = 0;
int32_t subLow = 0;
int32_t subBroken = 0;
int32_t subNo = 0;
if (currentContentSecurity)
{
currentContentSecurity->GetCountSubRequestsHighSecurity(&subHigh);
currentContentSecurity->GetCountSubRequestsLowSecurity(&subLow);
currentContentSecurity->GetCountSubRequestsBrokenSecurity(&subBroken);
currentContentSecurity->GetCountSubRequestsNoSecurity(&subNo);
PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in STOP from %p to %d,%d,%d,%d\n",
this, currentContentSecurity.get(), subHigh, subLow, subBroken, subNo));
PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in STOP from %p to %d,%d\n",
this, currentContentSecurity.get(), subBroken, subNo));
}
{
ReentrantMonitorAutoEnter lock(mReentrantMonitor);
mSubRequestsHighSecurity = subHigh;
mSubRequestsLowSecurity = subLow;
mSubRequestsBrokenSecurity = subBroken;
mSubRequestsNoSecurity = subNo;
}
@ -1350,39 +1305,15 @@ bool nsSecureBrowserUIImpl::UpdateMyFlags(bool &showWarning, lockIconState &warn
if (mNewToplevelSecurityState & STATE_IS_SECURE)
{
if (mNewToplevelSecurityState & STATE_SECURE_LOW
if (mSubRequestsBrokenSecurity
||
mNewToplevelSecurityState & STATE_SECURE_MED)
mSubRequestsNoSecurity)
{
if (mSubRequestsBrokenSecurity
||
mSubRequestsNoSecurity)
{
newSecurityState = lis_mixed_security;
}
else
{
newSecurityState = lis_low_security;
}
newSecurityState = lis_mixed_security;
}
else
{
// toplevel is high security
if (mSubRequestsBrokenSecurity
||
mSubRequestsNoSecurity)
{
newSecurityState = lis_mixed_security;
}
else if (mSubRequestsLowSecurity)
{
newSecurityState = lis_low_security;
}
else
{
newSecurityState = lis_high_security;
}
newSecurityState = lis_high_security;
}
}
else
@ -1416,28 +1347,20 @@ bool nsSecureBrowserUIImpl::UpdateMyFlags(bool &showWarning, lockIconState &warn
no or broken -> no or broken => <NOTHING SHOWN>
no or broken -> mixed => mixed alert
no or broken -> low => low alert
no or broken -> high => high alert
mixed, high, low -> no, broken => leaving secure
mixed, high -> no, broken => leaving secure
mixed -> low => low alert
mixed -> high => high alert
high -> low => low alert
high -> mixed => mixed
low -> high => high
low -> mixed => mixed
security icon
----------------
no open
mixed broken
broken broken
low low
high high
*/
@ -1533,10 +1456,6 @@ nsresult nsSecureBrowserUIImpl::TellTheWorld(bool showWarning,
ConfirmMixedMode();
break;
case lis_low_security:
ConfirmEnteringWeak();
break;
case lis_high_security:
ConfirmEnteringSecure();
break;
@ -1687,7 +1606,6 @@ nsSecureBrowserUIImpl::GetSSLStatus(nsISSLStatus** _result)
switch (mNotifiedSecurityState)
{
case lis_mixed_security:
case lis_low_security:
case lis_high_security:
break;
@ -1886,22 +1804,6 @@ ConfirmEnteringSecure()
return confirms;
}
bool nsSecureBrowserUIImpl::
ConfirmEnteringWeak()
{
nsCOMPtr<nsISecurityWarningDialogs> dialogs;
nsCOMPtr<nsIInterfaceRequestor> ctx;
if (!GetNSSDialogs(dialogs, ctx)) {
return false; // Should this allow true for unimplemented?
}
bool confirms;
dialogs->ConfirmEnteringWeak(ctx, &confirms);
return confirms;
}
bool nsSecureBrowserUIImpl::
ConfirmLeavingSecure()
{

3
security/manager/boot/src/nsSecureBrowserUIImpl.h
View File

@ -75,7 +75,6 @@ protected:
lis_no_security,
lis_broken_security,
lis_mixed_security,
lis_low_security,
lis_high_security
};
@ -90,8 +89,6 @@ protected:
nsXPIDLString mInfoTooltip;
int32_t mDocumentRequestsInProgress;
int32_t mSubRequestsHighSecurity;
int32_t mSubRequestsLowSecurity;
int32_t mSubRequestsBrokenSecurity;
int32_t mSubRequestsNoSecurity;
bool mRestoreSubrequests;

16
security/manager/boot/src/nsSecurityWarningDialogs.cpp
View File

@ -24,7 +24,6 @@ NS_IMPL_THREADSAFE_ISUPPORTS1(nsSecurityWarningDialogs, nsISecurityWarningDialog
#define STRING_BUNDLE_URL "chrome://pipnss/locale/security.properties"
#define ENTER_SITE_PREF "security.warn_entering_secure"
#define WEAK_SITE_PREF "security.warn_entering_weak"
#define LEAVE_SITE_PREF "security.warn_leaving_secure"
#define MIXEDCONTENT_PREF "security.warn_viewing_mixed"
#define INSECURE_SUBMIT_PREF "security.warn_submit_insecure"
@ -69,21 +68,6 @@ nsSecurityWarningDialogs::ConfirmEnteringSecure(nsIInterfaceRequestor *ctx, bool
return rv;
}
NS_IMETHODIMP
nsSecurityWarningDialogs::ConfirmEnteringWeak(nsIInterfaceRequestor *ctx, bool *_retval)
{
nsresult rv;
rv = AlertDialog(ctx, WEAK_SITE_PREF,
NS_LITERAL_STRING("WeakSecureMessage").get(),
NS_LITERAL_STRING("WeakSecureShowAgain").get(),
false,
nsISecurityUITelemetry::WARNING_ENTERING_WEAK_SITE);
*_retval = true;
return rv;
}
NS_IMETHODIMP
nsSecurityWarningDialogs::ConfirmLeavingSecure(nsIInterfaceRequestor *ctx, bool *_retval)
{

2
security/manager/locales/en-US/chrome/pipnss/security.properties
View File

@ -7,13 +7,11 @@ Title=Security Warning
MixedContentMessage=You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.
LeaveSecureMessage=You are about to leave an encrypted page. Information you send or receive from now on could easily be read by a third party.
EnterSecureMessage=You have requested an encrypted page. The website has identified itself correctly, and information you see or enter on this page can't easily be read by a third party.
WeakSecureMessage=You have requested a page that uses low-grade encryption. The website has identified itself correctly, but information you see or enter on this page could be read by a third party.
PostToInsecureFromSecureMessage=Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.##Are you sure you want to continue sending this information?##
PostToInsecureFromInsecureMessage=The information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.##Are you sure you want to continue sending this information?##
MixedContentShowAgain=Alert me whenever I'm about to view an encrypted page that contains some unencrypted information.
LeaveSecureShowAgain=Alert me whenever I leave an encrypted page for one that isn't encrypted.
EnterSecureShowAgain=Alert me whenever I am about to view an encrypted page.
WeakSecureShowAgain=Alert me whenever I am about to view a page that uses low-grade encryption.
PostToInsecureFromInsecureShowAgain=Alert me whenever I submit information that's not encrypted.
SecurityButtonTooltipText=Displays security information about the current page
SecurityButtonMixedContentTooltipText=Warning: Contains unauthenticated content

4
security/manager/ssl/public/nsIAssociatedContentSecurity.idl
View File

@ -14,11 +14,9 @@
#include "nsISupports.idl"
[scriptable, uuid(6AC9A699-D12A-45dc-9B02-9E5E0DD831B9)]
[scriptable, uuid(a8285dae-f125-454f-9d1b-089e3f01b2c4)]
interface nsIAssociatedContentSecurity : nsISupports
{
attribute long countSubRequestsHighSecurity;
attribute long countSubRequestsLowSecurity;
attribute long countSubRequestsBrokenSecurity;
attribute long countSubRequestsNoSecurity;
void flush();

47
security/manager/ssl/src/TransportSecurityInfo.cpp
View File

@ -45,8 +45,6 @@ namespace mozilla { namespace psm {
TransportSecurityInfo::TransportSecurityInfo()
: mMutex("TransportSecurityInfo::mMutex"),
mSecurityState(nsIWebProgressListener::STATE_IS_INSECURE),
mSubRequestsHighSecurity(0),
mSubRequestsLowSecurity(0),
mSubRequestsBrokenSecurity(0),
mSubRequestsNoSecurity(0),
mErrorCode(0),
@ -139,40 +137,6 @@ TransportSecurityInfo::SetSecurityState(uint32_t aState)
return NS_OK;
}
/* attribute unsigned long countSubRequestsHighSecurity; */
NS_IMETHODIMP
TransportSecurityInfo::GetCountSubRequestsHighSecurity(
int32_t *aSubRequestsHighSecurity)
{
*aSubRequestsHighSecurity = mSubRequestsHighSecurity;
return NS_OK;
}
NS_IMETHODIMP
TransportSecurityInfo::SetCountSubRequestsHighSecurity(
int32_t aSubRequestsHighSecurity)
{
mSubRequestsHighSecurity = aSubRequestsHighSecurity;
return NS_ERROR_NOT_IMPLEMENTED;
}
/* attribute unsigned long countSubRequestsLowSecurity; */
NS_IMETHODIMP
TransportSecurityInfo::GetCountSubRequestsLowSecurity(
int32_t *aSubRequestsLowSecurity)
{
*aSubRequestsLowSecurity = mSubRequestsLowSecurity;
return NS_OK;
}
NS_IMETHODIMP
TransportSecurityInfo::SetCountSubRequestsLowSecurity(
int32_t aSubRequestsLowSecurity)
{
mSubRequestsLowSecurity = aSubRequestsLowSecurity;
return NS_OK;
}
/* attribute unsigned long countSubRequestsBrokenSecurity; */
NS_IMETHODIMP
TransportSecurityInfo::GetCountSubRequestsBrokenSecurity(
@ -408,8 +372,8 @@ TransportSecurityInfo::Write(nsIObjectOutputStream* stream)
stream->WriteCompoundObject(NS_ISUPPORTS_CAST(nsISSLStatus*, status),
NS_GET_IID(nsISupports), true);
stream->Write32((uint32_t)mSubRequestsHighSecurity);
stream->Write32((uint32_t)mSubRequestsLowSecurity);
stream->Write32((uint32_t)0);
stream->Write32((uint32_t)0);
stream->Write32((uint32_t)mSubRequestsBrokenSecurity);
stream->Write32((uint32_t)mSubRequestsNoSecurity);
return NS_OK;
@ -511,14 +475,13 @@ TransportSecurityInfo::Read(nsIObjectInputStream* stream)
}
if (version >= 2) {
stream->Read32((uint32_t*)&mSubRequestsHighSecurity);
stream->Read32((uint32_t*)&mSubRequestsLowSecurity);
uint32_t dummySubRequests;
stream->Read32((uint32_t*)&dummySubRequests);
stream->Read32((uint32_t*)&dummySubRequests);
stream->Read32((uint32_t*)&mSubRequestsBrokenSecurity);
stream->Read32((uint32_t*)&mSubRequestsNoSecurity);
}
else {
mSubRequestsHighSecurity = 0;
mSubRequestsLowSecurity = 0;
mSubRequestsBrokenSecurity = 0;
mSubRequestsNoSecurity = 0;
}

2
security/manager/ssl/src/TransportSecurityInfo.h
View File

@ -88,8 +88,6 @@ protected:
private:
uint32_t mSecurityState;
int32_t mSubRequestsHighSecurity;
int32_t mSubRequestsLowSecurity;
int32_t mSubRequestsBrokenSecurity;
int32_t mSubRequestsNoSecurity;
nsString mShortDesc;

6
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@ -810,12 +810,8 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
int32_t secStatus;
if (sslStatus == SSL_SECURITY_STATUS_OFF)
secStatus = nsIWebProgressListener::STATE_IS_BROKEN;
else if (encryptBits >= 90)
secStatus = (nsIWebProgressListener::STATE_IS_SECURE |
nsIWebProgressListener::STATE_SECURE_HIGH);
else
secStatus = (nsIWebProgressListener::STATE_IS_SECURE |
nsIWebProgressListener::STATE_SECURE_LOW);
secStatus = nsIWebProgressListener::STATE_IS_SECURE;
PRBool siteSupportsSafeRenego;
if (SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn, &siteSupportsSafeRenego) != SECSuccess

16
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -990,12 +990,6 @@ static CipherPref CipherPrefs[] = {
{"security.ssl3.rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with RSA and a SHA1 MAC
{"security.ssl3.rsa_fips_des_ede3_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA and a SHA1 MAC (FIPS)
{"security.ssl3.rsa_des_ede3_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA and a SHA1 MAC
{"security.ssl3.rsa_fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA and a SHA1 MAC (FIPS)
{"security.ssl3.rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA and a SHA1 MAC
{"security.ssl3.rsa_1024_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, // 56-bit RC4 encryption with RSA and a SHA1 MAC (export)
{"security.ssl3.rsa_1024_des_cbc_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA and a SHA1 MAC (export)
{"security.ssl3.rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5}, // 40-bit RC4 encryption with RSA and an MD5 MAC (export)
{"security.ssl3.rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5}, // 40-bit RC2 encryption with RSA and an MD5 MAC (export)
/* Extra SSL3/TLS cipher suites */
{"security.ssl3.dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA}, // 256-bit Camellia encryption with RSA, DHE, and a SHA1 MAC
{"security.ssl3.dhe_dss_camellia_256_sha", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA}, // 256-bit Camellia encryption with DSA, DHE, and a SHA1 MAC
@ -1009,22 +1003,18 @@ static CipherPref CipherPrefs[] = {
{"security.ssl3.ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDHE-ECDSA and a SHA1 MAC
{"security.ssl3.ecdhe_ecdsa_des_ede3_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDHE-ECDSA and a SHA1 MAC
{"security.ssl3.ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDHE-ECDSA and a SHA1 MAC
{"security.ssl3.ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA}, // No encryption with ECDHE-ECDSA and a SHA1 MAC
{"security.ssl3.ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDHE-RSA and a SHA1 MAC
{"security.ssl3.ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDHE-RSA and a SHA1 MAC
{"security.ssl3.ecdhe_rsa_des_ede3_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDHE-RSA and a SHA1 MAC
{"security.ssl3.ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDHE-RSA and a SHA1 MAC
{"security.ssl3.ecdhe_rsa_null_sha", TLS_ECDHE_RSA_WITH_NULL_SHA}, // No encryption with ECDHE-RSA and a SHA1 MAC
{"security.ssl3.ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDH-ECDSA and a SHA1 MAC
{"security.ssl3.ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDH-ECDSA and a SHA1 MAC
{"security.ssl3.ecdh_ecdsa_des_ede3_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDH-ECDSA and a SHA1 MAC
{"security.ssl3.ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDH-ECDSA and a SHA1 MAC
{"security.ssl3.ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA}, // No encryption with ECDH-ECDSA and a SHA1 MAC
{"security.ssl3.ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDH-RSA and a SHA1 MAC
{"security.ssl3.ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDH-RSA and a SHA1 MAC
{"security.ssl3.ecdh_rsa_des_ede3_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDH-RSA and a SHA1 MAC
{"security.ssl3.ecdh_rsa_rc4_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDH-RSA and a SHA1 MAC
{"security.ssl3.ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA}, // No encryption with ECDH-RSA and a SHA1 MAC
{"security.ssl3.dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA}, // 128-bit Camellia encryption with RSA, DHE, and a SHA1 MAC
{"security.ssl3.dhe_dss_camellia_128_sha", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA}, // 128-bit Camellia encryption with DSA, DHE, and a SHA1 MAC
{"security.ssl3.rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA}, // 128-bit Camellia encryption with RSA and a SHA1 MAC
@ -1033,10 +1023,6 @@ static CipherPref CipherPrefs[] = {
{"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with RSA and a SHA1 MAC
{"security.ssl3.dhe_rsa_des_ede3_sha", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA, DHE, and a SHA1 MAC
{"security.ssl3.dhe_dss_des_ede3_sha", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with DSA, DHE, and a SHA1 MAC
{"security.ssl3.dhe_rsa_des_sha", SSL_DHE_RSA_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA, DHE, and a SHA1 MAC
{"security.ssl3.dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with DSA, DHE, and a SHA1 MAC
{"security.ssl3.rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, // No encryption with RSA authentication and a SHA1 MAC
{"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, // No encryption with RSA authentication and an MD5 MAC
{"security.ssl3.rsa_seed_sha", TLS_RSA_WITH_SEED_CBC_SHA}, // SEED encryption with RSA and a SHA1 MAC
{nullptr, 0} /* end marker */
};
@ -1734,8 +1720,6 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
mNSSInitialized = true;
::NSS_SetDomesticPolicy();
// SSL_EnableCipher(SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED);
// SSL_EnableCipher(SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED);
PK11_SetPasswordFunc(PK11PasswordPrompt);