From f71f51550820b0ac143f0d95ecd05b8468fa9faa Mon Sep 17 00:00:00 2001 From: roytam1 Date: Fri, 21 Jan 2022 21:28:21 +0800 Subject: [PATCH] import changes from `dev' branch of rmottola/Arctic-Fox: - Bug 1141906 - Adjust some assertions in Linux sandbox feature detection. r=kang (365e9a6a8e) - bug 1169408 - Merge mozButtonAccessible and mozPopupButtonAccessible r=surkov (6996bb22e8) - Bug 1162434 - Make windows emulation work on X64, r=marcoz (f0bb96de8a) - Bug 1162434 part 2 - Fix ISimpleDOMNode Unique ID on 64 bit systems, r=surkov (1afbaa9fec) - code style (3cabaf0882) - Bug 734229 - Partially address by refusing to re-negotiate on NTLM. r=mayhemer, r=keeler (59b7feea33) - Bug 1164714 - Move netwerk/base/nsISiteSecurityService.idl into security/manager/ssl. r=keeler,mcmanus (154e93a29c) - Bug 1164714 - Move netwerk/test/TestSTSParser.cpp into security/manager/ssl/tests/. r=keeler (7fc68a2b66) - Bug 1124649 - Part 1 - Add specific error messages for various types of STS and PKP header failures. r=keeler,hurley (e967aef5fc) - Bug 1046421 - Do not disclose the system hostname via NTLM handler. r=honzab (a4a85439ca) - Bug 1084025 - Add telemetry to measure failures due to not falling back. r=keeler (5388e21c64) - Bug 1106470 - Drop SSLv3 support entirely from PSM. r=keeler (5de896acc0) - Bug 1195606 - Use channel->ascynOpen2 in security/manager/ssl/nsNSSCallbacks.cpp (r=sicking) (8b5e18f069) - Bug 1197644 - Remove the security.ssl.warn_missing_rfc5746 pref. r=keeler (f76ae9af3e) - namespace (7817663683) --- accessible/mac/AccessibleWrap.h | 5 +- accessible/mac/mozActionElements.h | 7 +- accessible/mac/mozActionElements.mm | 129 ++++---------- accessible/windows/msaa/nsWinUtils.cpp | 5 +- accessible/windows/sdn/sdnAccessible.cpp | 7 +- .../en-US/chrome/security/security.properties | 30 +++- modules/libpref/init/all.js | 10 ++ netwerk/base/moz.build | 1 - netwerk/base/security-prefs.js | 1 - netwerk/protocol/http/nsHttpChannel.cpp | 89 +++++++++- netwerk/test/moz.build | 1 - security/manager/ssl/DataStorage.h | 2 +- security/manager/ssl/NSSErrorsService.h | 4 +- security/manager/ssl/PSMContentListener.h | 4 +- security/manager/ssl/md4.h | 2 +- security/manager/ssl/moz.build | 1 + .../manager/ssl}/nsISiteSecurityService.idl | 31 +++- security/manager/ssl/nsNSSCallbacks.cpp | 17 +- security/manager/ssl/nsNSSCertificate.h | 2 +- security/manager/ssl/nsNSSComponent.cpp | 15 +- security/manager/ssl/nsNSSIOLayer.cpp | 92 +++++----- security/manager/ssl/nsNSSIOLayer.h | 11 +- security/manager/ssl/nsNTLMAuthModule.cpp | 58 ++++--- security/manager/ssl/nsNTLMAuthModule.h | 1 + .../manager/ssl/nsSiteSecurityService.cpp | 124 ++++++++++---- security/manager/ssl/nsSiteSecurityService.h | 8 +- .../ssl/tests/compiled}/TestSTSParser.cpp | 4 +- security/manager/ssl/tests/compiled/moz.build | 8 +- .../ssl/tests/gtest/TLSIntoleranceTest.cpp | 160 +++++++----------- security/sandbox/linux/common/SandboxInfo.cpp | 49 ++++-- toolkit/components/telemetry/Histograms.json | 20 +-- 31 files changed, 515 insertions(+), 383 deletions(-) rename {netwerk/base => security/manager/ssl}/nsISiteSecurityService.idl (84%) rename {netwerk/test => security/manager/ssl/tests/compiled}/TestSTSParser.cpp (98%) diff --git a/accessible/mac/AccessibleWrap.h b/accessible/mac/AccessibleWrap.h index 40d443b1ce..df6775bcd2 100644 --- a/accessible/mac/AccessibleWrap.h +++ b/accessible/mac/AccessibleWrap.h @@ -59,10 +59,7 @@ public: // construction, destruction * for it. */ bool IsIgnored(); - - inline bool HasPopup () - { return (NativeState() & mozilla::a11y::states::HASPOPUP); } - + /** * Returns this accessible's all children, adhering to "flat" accessibles by * not returning their children. diff --git a/accessible/mac/mozActionElements.h b/accessible/mac/mozActionElements.h index d3769bbc7e..a325921eb8 100644 --- a/accessible/mac/mozActionElements.h +++ b/accessible/mac/mozActionElements.h @@ -9,6 +9,9 @@ /* Simple subclasses for things like checkboxes, buttons, etc. */ @interface mozButtonAccessible : mozAccessible + { + } +- (BOOL)hasPopup; - (void)click; - (BOOL)isTab; @end @@ -18,10 +21,6 @@ - (int)isChecked; @end -/* Used for buttons that may pop up a menu. */ -@interface mozPopupButtonAccessible : mozButtonAccessible -@end - /* Class for tabs - not individual tabs */ @interface mozTabsAccessible : mozAccessible { diff --git a/accessible/mac/mozActionElements.mm b/accessible/mac/mozActionElements.mm index 15d0367805..9b3780cac7 100644 --- a/accessible/mac/mozActionElements.mm +++ b/accessible/mac/mozActionElements.mm @@ -42,6 +42,7 @@ enum CheckboxValue { NSAccessibilityEnabledAttribute, // required NSAccessibilityFocusedAttribute, // required NSAccessibilityTitleAttribute, // required + NSAccessibilityChildrenAttribute, NSAccessibilityDescriptionAttribute, #if DEBUG @"AXMozDescription", @@ -57,15 +58,19 @@ enum CheckboxValue { { NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; - if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) + if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) { + if ([self hasPopup]) + return [self children]; return nil; + } + if ([attribute isEqualToString:NSAccessibilityRoleDescriptionAttribute]) { if ([self isTab]) return utils::LocalizedString(NS_LITERAL_STRING("tab")); - + return NSAccessibilityRoleDescription([self role], nil); } - + return [super accessibilityAttributeValue:attribute]; NS_OBJC_END_TRY_ABORT_BLOCK_NIL; @@ -80,36 +85,49 @@ enum CheckboxValue { { NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; - if ([self isEnabled]) + if ([self isEnabled]) { + if ([self hasPopup]) + return [NSArray arrayWithObjects:NSAccessibilityPressAction, + NSAccessibilityShowMenuAction, + nil]; return [NSArray arrayWithObject:NSAccessibilityPressAction]; - + } return nil; NS_OBJC_END_TRY_ABORT_BLOCK_NIL; } -- (NSString*)accessibilityActionDescription:(NSString*)action +- (NSString*)accessibilityActionDescription:(NSString*)action { NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; if ([action isEqualToString:NSAccessibilityPressAction]) { if ([self isTab]) return utils::LocalizedString(NS_LITERAL_STRING("switch")); - + return @"press button"; // XXX: localize this later? } - + + if ([self hasPopup]) { + if ([action isEqualToString:NSAccessibilityShowMenuAction]) + return @"show menu"; + } + return nil; NS_OBJC_END_TRY_ABORT_BLOCK_NIL; } -- (void)accessibilityPerformAction:(NSString*)action +- (void)accessibilityPerformAction:(NSString*)action { NS_OBJC_BEGIN_TRY_ABORT_BLOCK; - if ([action isEqualToString:NSAccessibilityPressAction]) + if ([self isEnabled] && [action isEqualToString:NSAccessibilityPressAction]) { + // TODO: this should bring up the menu, but currently doesn't. + // once msaa and atk have merged better, they will implement + // the action needed to show the menu. [self click]; + } NS_OBJC_END_TRY_ABORT_BLOCK; } @@ -127,6 +145,12 @@ enum CheckboxValue { return (accWrap && (accWrap->Role() == roles::PAGETAB)); } +- (BOOL)hasPopup +{ + AccessibleWrap* accWrap = [self getGeckoAccessible]; + return accWrap && (accWrap->NativeState() & mozilla::a11y::states::HASPOPUP); +} + @end @implementation mozCheckboxAccessible @@ -170,91 +194,6 @@ enum CheckboxValue { @end -@implementation mozPopupButtonAccessible - -- (NSArray *)accessibilityAttributeNames -{ - NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; - - static NSArray *attributes = nil; - - if (!attributes) { - attributes = [[NSArray alloc] initWithObjects:NSAccessibilityParentAttribute, // required - NSAccessibilityPositionAttribute, // required - NSAccessibilityRoleAttribute, // required - NSAccessibilitySizeAttribute, // required - NSAccessibilityWindowAttribute, // required - NSAccessibilityTopLevelUIElementAttribute, // required - NSAccessibilityHelpAttribute, - NSAccessibilityEnabledAttribute, // required - NSAccessibilityFocusedAttribute, // required - NSAccessibilityTitleAttribute, // required for popupmenus, and for menubuttons with a title - NSAccessibilityChildrenAttribute, // required - NSAccessibilityDescriptionAttribute, // required if it has no title attr -#if DEBUG - @"AXMozDescription", -#endif - nil]; - } - return attributes; - - NS_OBJC_END_TRY_ABORT_BLOCK_NIL; -} - -- (id)accessibilityAttributeValue:(NSString *)attribute -{ - NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; - - if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) { - return [super children]; - } - return [super accessibilityAttributeValue:attribute]; - - NS_OBJC_END_TRY_ABORT_BLOCK_NIL; -} - -- (NSArray *)accessibilityActionNames -{ - NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; - - if ([self isEnabled]) { - return [NSArray arrayWithObjects:NSAccessibilityPressAction, - NSAccessibilityShowMenuAction, - nil]; - } - return nil; - - NS_OBJC_END_TRY_ABORT_BLOCK_NIL; -} - -- (NSString *)accessibilityActionDescription:(NSString *)action -{ - NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL; - - if ([action isEqualToString:NSAccessibilityShowMenuAction]) - return @"show menu"; - return [super accessibilityActionDescription:action]; - - NS_OBJC_END_TRY_ABORT_BLOCK_NIL; -} - -- (void)accessibilityPerformAction:(NSString *)action -{ - NS_OBJC_BEGIN_TRY_ABORT_BLOCK; - - // both the ShowMenu and Click action do the same thing. - if ([self isEnabled]) { - // TODO: this should bring up the menu, but currently doesn't. - // once msaa and atk have merged better, they will implement - // the action needed to show the menu. - [super click]; - } - - NS_OBJC_END_TRY_ABORT_BLOCK; -} - -@end - @implementation mozTabsAccessible - (void)dealloc diff --git a/accessible/windows/msaa/nsWinUtils.cpp b/accessible/windows/msaa/nsWinUtils.cpp index 545c7c865b..96a2ddb32f 100644 --- a/accessible/windows/msaa/nsWinUtils.cpp +++ b/accessible/windows/msaa/nsWinUtils.cpp @@ -149,7 +149,10 @@ WindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam) switch (msg) { case WM_GETOBJECT: { - if (lParam == OBJID_CLIENT) { + // Do explicit casting to make it working on 64bit systems (see bug 649236 + // for details). + int32_t objId = static_cast(lParam); + if (objId == OBJID_CLIENT) { DocAccessible* document = nsWinUtils::sHWNDCache->GetWeak(static_cast(hWnd)); if (document) { diff --git a/accessible/windows/sdn/sdnAccessible.cpp b/accessible/windows/sdn/sdnAccessible.cpp index 046d734c3a..9c3b2cc8eb 100644 --- a/accessible/windows/sdn/sdnAccessible.cpp +++ b/accessible/windows/sdn/sdnAccessible.cpp @@ -106,8 +106,11 @@ sdnAccessible::get_nodeInfo(BSTR __RPC_FAR* aNodeName, // focus events, to correlate back to data nodes in their internal object // model. Accessible* accessible = GetAccessible(); - *aUniqueID = - NS_PTR_TO_INT32(accessible ? accessible->UniqueID() : - static_cast(this)); + if (accessible) { + *aUniqueID = AccessibleWrap::GetChildIDFor(accessible); + } else { + *aUniqueID = - NS_PTR_TO_INT32(static_cast(this)); + } *aNumChildren = mNode->GetChildCount(); diff --git a/dom/locales/en-US/chrome/security/security.properties b/dom/locales/en-US/chrome/security/security.properties index 6096defff8..b8e8ca7b86 100644 --- a/dom/locales/en-US/chrome/security/security.properties +++ b/dom/locales/en-US/chrome/security/security.properties @@ -16,10 +16,32 @@ CORSInvalidAllowMethod=Cross-Origin Request Blocked: The Same Origin Policy disa CORSInvalidAllowHeader=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: invalid token '%2$S' in CORS header 'Access-Control-Allow-Headers'). CORSMissingAllowHeaderFromPreflight=Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at %1$S. (Reason: missing token '%2$S' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel). -# LOCALIZATION NOTE: Do not translate "Strict-Transport-Security" or "HSTS" -InvalidSTSHeaders=The site specified an invalid Strict-Transport-Security header. -# LOCALIZATION NOTE: Do not translate "Public-Key-Pins or HPKP" -InvalidPKPHeaders=The site specified an invalid Public-Key-Pins header. +# LOCALIZATION NOTE: Do not translate "Strict-Transport-Security", "HSTS", "max-age" or "includeSubDomains" +STSUnknownError=Strict-Transport-Security: An unknown error occurred processing the header specified by the site. +STSUntrustworthyConnection=Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. +STSCouldNotParseHeader=Strict-Transport-Security: The site specified a header that could not be parsed successfully. +STSNoMaxAge=Strict-Transport-Security: The site specified a header that did not include a 'max-age' directive. +STSMultipleMaxAges=Strict-Transport-Security: The site specified a header that included multiple 'max-age' directives. +STSInvalidMaxAge=Strict-Transport-Security: The site specified a header that included an invalid 'max-age' directive. +STSMultipleIncludeSubdomains=Strict-Transport-Security: The site specified a header that included multiple 'includeSubDomains' directives. +STSInvalidIncludeSubdomains=Strict-Transport-Security: The site specified a header that included an invalid 'includeSubDomains' directive. +STSCouldNotSaveState=Strict-Transport-Security: An error occurred noting the site as a Strict-Transport-Security host. + +# LOCALIZATION NOTE: Do not translate "Public-Key-Pins", "HPKP", "max-age" or "includeSubDomains" +PKPUnknownError=Public-Key-Pins: An unknown error occurred processing the header specified by the site. +PKPUntrustworthyConnection=Public-Key-Pins: The connection to the site is untrustworthy, so the specified header was ignored. +PKPCouldNotParseHeader=Public-Key-Pins: The site specified a header that could not be parsed successfully. +PKPNoMaxAge=Public-Key-Pins: The site specified a header that did not include a 'max-age' directive. +PKPMultipleMaxAges=Public-Key-Pins: The site specified a header that included multiple 'max-age' directives. +PKPInvalidMaxAge=Public-Key-Pins: The site specified a header that included an invalid 'max-age' directive. +PKPMultipleIncludeSubdomains=Public-Key-Pins: The site specified a header that included multiple 'includeSubDomains' directives. +PKPInvalidIncludeSubdomains=Public-Key-Pins: The site specified a header that included an invalid 'includeSubDomains' directive. +PKPInvalidPin=Public-Key-Pins: The site specified a header that included an invalid pin. +PKPMultipleReportURIs=Public-Key-Pins: The site specified a header that included multiple 'report-uri' directives. +PKPPinsetDoesNotMatch=Public-Key-Pins: The site specified a header that did not include a matching pin. +PKPNoBackupPin=Public-Key-Pins: The site specified a header that did not include a backup pin. +PKPCouldNotSaveState=Public-Key-Pins: An error occurred noting the site as a Public-Key-Pins host. + # LOCALIZATION NOTE: Do not translate "SHA-1" SHA1Sig=This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. InsecurePasswordsPresentOnPage=Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen. diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 395e6fe325..6292a013a7 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -2035,6 +2035,16 @@ pref("network.automatic-ntlm-auth.allow-proxies", true); pref("network.automatic-ntlm-auth.allow-non-fqdn", false); pref("network.automatic-ntlm-auth.trusted-uris", ""); +// The string to return to the server as the 'workstation' that the +// user is using. Bug 1046421 notes that the previous default, of the +// system hostname, could be used for user fingerprinting. +// +// However, in some network environments where allowedWorkstations is in use +// to provide a level of host-based access control, it must be set to a string +// that is listed in allowedWorkstations for the user's account in their +// AD Domain. +pref("network.generic-ntlm-auth.workstation", "WORKSTATION"); + // Sub-resources HTTP-authentication: // 0 - don't allow sub-resources to open HTTP authentication credentials // dialogs diff --git a/netwerk/base/moz.build b/netwerk/base/moz.build index 042be42b76..e52015eb57 100644 --- a/netwerk/base/moz.build +++ b/netwerk/base/moz.build @@ -101,7 +101,6 @@ XPIDL_SOURCES += [ 'nsISerializationHelper.idl', 'nsIServerSocket.idl', 'nsISimpleStreamListener.idl', - 'nsISiteSecurityService.idl', 'nsISocketTransport.idl', 'nsISocketTransportService.idl', 'nsISpeculativeConnect.idl', diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index b787297ae3..a09e62589a 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -18,7 +18,6 @@ pref("security.tls.enable_0rtt_data", false); pref("security.ssl.treat_unsafe_negotiation_as_broken", false); pref("security.ssl.require_safe_negotiation", false); -pref("security.ssl.warn_missing_rfc5746", 1); pref("security.ssl.enable_ocsp_stapling", true); pref("security.ssl.enable_false_start", false); pref("security.ssl.false_start.require-npn", false); diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index 3a1ec31d58..68d18a37ff 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -1139,8 +1139,88 @@ nsHttpChannel::ProcessFailedProxyConnect(uint32_t httpStatus) return rv; } +static void +GetSTSConsoleErrorTag(uint32_t failureResult, nsAString& consoleErrorTag) +{ + switch (failureResult) { + case nsISiteSecurityService::ERROR_UNTRUSTWORTHY_CONNECTION: + consoleErrorTag = NS_LITERAL_STRING("STSUntrustworthyConnection"); + break; + case nsISiteSecurityService::ERROR_COULD_NOT_PARSE_HEADER: + consoleErrorTag = NS_LITERAL_STRING("STSCouldNotParseHeader"); + break; + case nsISiteSecurityService::ERROR_NO_MAX_AGE: + consoleErrorTag = NS_LITERAL_STRING("STSNoMaxAge"); + break; + case nsISiteSecurityService::ERROR_MULTIPLE_MAX_AGES: + consoleErrorTag = NS_LITERAL_STRING("STSMultipleMaxAges"); + break; + case nsISiteSecurityService::ERROR_INVALID_MAX_AGE: + consoleErrorTag = NS_LITERAL_STRING("STSInvalidMaxAge"); + break; + case nsISiteSecurityService::ERROR_MULTIPLE_INCLUDE_SUBDOMAINS: + consoleErrorTag = NS_LITERAL_STRING("STSMultipleIncludeSubdomains"); + break; + case nsISiteSecurityService::ERROR_INVALID_INCLUDE_SUBDOMAINS: + consoleErrorTag = NS_LITERAL_STRING("STSInvalidIncludeSubdomains"); + break; + case nsISiteSecurityService::ERROR_COULD_NOT_SAVE_STATE: + consoleErrorTag = NS_LITERAL_STRING("STSCouldNotSaveState"); + break; + default: + consoleErrorTag = NS_LITERAL_STRING("STSUnknownError"); + break; + } +} + +static void +GetPKPConsoleErrorTag(uint32_t failureResult, nsAString& consoleErrorTag) +{ + switch (failureResult) { + case nsISiteSecurityService::ERROR_UNTRUSTWORTHY_CONNECTION: + consoleErrorTag = NS_LITERAL_STRING("PKPUntrustworthyConnection"); + break; + case nsISiteSecurityService::ERROR_COULD_NOT_PARSE_HEADER: + consoleErrorTag = NS_LITERAL_STRING("PKPCouldNotParseHeader"); + break; + case nsISiteSecurityService::ERROR_NO_MAX_AGE: + consoleErrorTag = NS_LITERAL_STRING("PKPNoMaxAge"); + break; + case nsISiteSecurityService::ERROR_MULTIPLE_MAX_AGES: + consoleErrorTag = NS_LITERAL_STRING("PKPMultipleMaxAges"); + break; + case nsISiteSecurityService::ERROR_INVALID_MAX_AGE: + consoleErrorTag = NS_LITERAL_STRING("PKPInvalidMaxAge"); + break; + case nsISiteSecurityService::ERROR_MULTIPLE_INCLUDE_SUBDOMAINS: + consoleErrorTag = NS_LITERAL_STRING("PKPMultipleIncludeSubdomains"); + break; + case nsISiteSecurityService::ERROR_INVALID_INCLUDE_SUBDOMAINS: + consoleErrorTag = NS_LITERAL_STRING("PKPInvalidIncludeSubdomains"); + break; + case nsISiteSecurityService::ERROR_INVALID_PIN: + consoleErrorTag = NS_LITERAL_STRING("PKPInvalidPin"); + break; + case nsISiteSecurityService::ERROR_MULTIPLE_REPORT_URIS: + consoleErrorTag = NS_LITERAL_STRING("PKPMultipleReportURIs"); + break; + case nsISiteSecurityService::ERROR_PINSET_DOES_NOT_MATCH_CHAIN: + consoleErrorTag = NS_LITERAL_STRING("PKPPinsetDoesNotMatch"); + break; + case nsISiteSecurityService::ERROR_NO_BACKUP_PIN: + consoleErrorTag = NS_LITERAL_STRING("PKPNoBackupPin"); + break; + case nsISiteSecurityService::ERROR_COULD_NOT_SAVE_STATE: + consoleErrorTag = NS_LITERAL_STRING("PKPCouldNotSaveState"); + break; + default: + consoleErrorTag = NS_LITERAL_STRING("PKPUnknownError"); + break; + } +} + /** - * Process a single security header. Only two types are suported HSTS and HPKP. + * Process a single security header. Only two types are supported: HSTS and HPKP. */ nsresult nsHttpChannel::ProcessSingleSecurityHeader(uint32_t aType, @@ -1167,18 +1247,19 @@ nsHttpChannel::ProcessSingleSecurityHeader(uint32_t aType, NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY); // Process header will now discard the headers itself if the channel // wasn't secure (whereas before it had to be checked manually) + uint32_t failureResult; rv = sss->ProcessHeader(aType, mURI, securityHeader.get(), aSSLStatus, - aFlags, nullptr, nullptr); + aFlags, nullptr, nullptr, &failureResult); if (NS_FAILED(rv)) { nsAutoString consoleErrorCategory; nsAutoString consoleErrorTag; switch (aType) { case nsISiteSecurityService::HEADER_HSTS: - consoleErrorTag = NS_LITERAL_STRING("InvalidSTSHeaders"); + GetSTSConsoleErrorTag(failureResult, consoleErrorTag); consoleErrorCategory = NS_LITERAL_STRING("Invalid HSTS Headers"); break; case nsISiteSecurityService::HEADER_HPKP: - consoleErrorTag = NS_LITERAL_STRING("InvalidPKPHeaders"); + GetPKPConsoleErrorTag(failureResult, consoleErrorTag); consoleErrorCategory = NS_LITERAL_STRING("Invalid HPKP Headers"); break; default: diff --git a/netwerk/test/moz.build b/netwerk/test/moz.build index 6555cf5309..911b866f1f 100644 --- a/netwerk/test/moz.build +++ b/netwerk/test/moz.build @@ -45,7 +45,6 @@ GeckoSimplePrograms([ CppUnitTests([ 'TestBind', 'TestCookie', - 'TestSTSParser', 'TestUDPSocket', ]) diff --git a/security/manager/ssl/DataStorage.h b/security/manager/ssl/DataStorage.h index 11dea8c882..2dd658a451 100644 --- a/security/manager/ssl/DataStorage.h +++ b/security/manager/ssl/DataStorage.h @@ -180,6 +180,6 @@ private: const nsString mFilename; }; -}; // namespace mozilla +} // namespace mozilla #endif // mozilla_DataStorage_h diff --git a/security/manager/ssl/NSSErrorsService.h b/security/manager/ssl/NSSErrorsService.h index 0a72c85a9e..844ceda35e 100644 --- a/security/manager/ssl/NSSErrorsService.h +++ b/security/manager/ssl/NSSErrorsService.h @@ -40,8 +40,8 @@ bool IsNSSErrorCode(PRErrorCode code); nsresult GetXPCOMFromNSSError(PRErrorCode code); bool ErrorIsOverridable(PRErrorCode code); -} // psm -} // mozilla +} // namespace psm +} // namespace mozilla #define NS_NSSERRORSSERVICE_CID \ { 0x9ef18451, 0xa157, 0x4d17, { 0x81, 0x32, 0x47, 0xaf, 0xef, 0x21, 0x36, 0x89 } } diff --git a/security/manager/ssl/PSMContentListener.h b/security/manager/ssl/PSMContentListener.h index 13bff90b7c..d948383a45 100644 --- a/security/manager/ssl/PSMContentListener.h +++ b/security/manager/ssl/PSMContentListener.h @@ -21,8 +21,8 @@ namespace net { class PChannelDiverterParent; -} -} +} // namespace net +} // namespace mozilla namespace mozilla { namespace psm { diff --git a/security/manager/ssl/md4.h b/security/manager/ssl/md4.h index b9dd96ff67..4107aed407 100644 --- a/security/manager/ssl/md4.h +++ b/security/manager/ssl/md4.h @@ -14,7 +14,7 @@ extern "C" { /** * md4sum - computes the MD4 sum over the input buffer per RFC 1320 - * + * * @param input * buffer containing input data * @param inputLen diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build index 80c132a8dd..a749ef8098 100644 --- a/security/manager/ssl/moz.build +++ b/security/manager/ssl/moz.build @@ -31,6 +31,7 @@ XPIDL_SOURCES += [ 'nsIPKCS11Slot.idl', 'nsIProtectedAuthThread.idl', 'nsISecurityUITelemetry.idl', + 'nsISiteSecurityService.idl', 'nsISSLStatus.idl', 'nsISSLStatusProvider.idl', 'nsITokenDialogs.idl', diff --git a/netwerk/base/nsISiteSecurityService.idl b/security/manager/ssl/nsISiteSecurityService.idl similarity index 84% rename from netwerk/base/nsISiteSecurityService.idl rename to security/manager/ssl/nsISiteSecurityService.idl index 0f2b4f69ae..a90fd8199b 100644 --- a/netwerk/base/nsISiteSecurityService.idl +++ b/security/manager/ssl/nsISiteSecurityService.idl @@ -23,13 +23,28 @@ namespace mozilla [ref] native nsCStringTArrayRef(nsTArray); [ref] native mozillaPkixTime(mozilla::pkix::Time); -[scriptable, uuid(e219eace-0e04-42ba-b203-58a8b327867c)] +[scriptable, uuid(e6cac961-9f03-4cc3-ad00-a829ae7304dc)] interface nsISiteSecurityService : nsISupports { const uint32_t HEADER_HSTS = 0; const uint32_t HEADER_HPKP = 1; const uint32_t HEADER_OMS = 2; + const uint32_t Success = 0; + const uint32_t ERROR_UNKNOWN = 1; + const uint32_t ERROR_UNTRUSTWORTHY_CONNECTION = 2; + const uint32_t ERROR_COULD_NOT_PARSE_HEADER = 3; + const uint32_t ERROR_NO_MAX_AGE = 4; + const uint32_t ERROR_MULTIPLE_MAX_AGES = 5; + const uint32_t ERROR_INVALID_MAX_AGE = 6; + const uint32_t ERROR_MULTIPLE_INCLUDE_SUBDOMAINS = 7; + const uint32_t ERROR_INVALID_INCLUDE_SUBDOMAINS = 8; + const uint32_t ERROR_INVALID_PIN = 9; + const uint32_t ERROR_MULTIPLE_REPORT_URIS = 10; + const uint32_t ERROR_PINSET_DOES_NOT_MATCH_CHAIN = 11; + const uint32_t ERROR_NO_BACKUP_PIN = 12; + const uint32_t ERROR_COULD_NOT_SAVE_STATE = 13; + /** * Parses a given HTTP header and records the results internally. * Currently two header types are supported: HSTS (aka STS) and HPKP @@ -37,9 +52,9 @@ interface nsISiteSecurityService : nsISupports * https://tools.ietf.org/html/rfc6797 * and allows a host to specify that future HTTP requests should be * upgraded to HTTPS. - * The Format of the HPKP header is currently defined by: - * https://tools.ietf.org/html/draft-ietf-websec-key-pinning-20 - * and allows a host to speficy a subset of trusted anchors to be used + * The format of the HPKP header is defined by the HPKP specification: + * https://tools.ietf.org/html/rfc7469 + * and allows a host to specify a subset of trusted anchors to be used * in future HTTPS connections. * * @param aType the type of security header in question. @@ -50,6 +65,8 @@ interface nsISiteSecurityService : nsISupports * NO_PERMANENT_STORAGE * @param aMaxAge the parsed max-age directive of the header. * @param aIncludeSubdomains the parsed includeSubdomains directive. + * @param aFailureResult a more specific failure result if NS_ERROR_FAILURE + was returned. * @return NS_OK if it succeeds * NS_ERROR_FAILURE if it can't be parsed * NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA @@ -61,7 +78,8 @@ interface nsISiteSecurityService : nsISupports in nsISSLStatus aSSLStatus, in uint32_t aFlags, [optional] out unsigned long long aMaxAge, - [optional] out boolean aIncludeSubdomains); + [optional] out boolean aIncludeSubdomains, + [optional] out uint32_t aFailureResult); /** * Same as processHeader but without checking for the security properties @@ -72,7 +90,8 @@ interface nsISiteSecurityService : nsISupports in string aHeader, in uint32_t aFlags, [optional] out unsigned long long aMaxAge, - [optional] out boolean aIncludeSubdomains); + [optional] out boolean aIncludeSubdomains, + [optional] out uint32_t aFailureResult); /** * Given a header type, removes state relating to that header of a host, diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp index 02f87f2f94..e958c9567a 100644 --- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -31,7 +31,7 @@ extern PRLogModuleInfo* gPIPNSSLog; namespace { -} +} // namespace class nsHTTPDownloadEvent : public nsRunnable { public: @@ -78,7 +78,7 @@ nsHTTPDownloadEvent::Run() nullptr, // aLoadingNode nsContentUtils::GetSystemPrincipal(), nullptr, // aTriggeringPrincipal - nsILoadInfo::SEC_NORMAL, + nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL, nsIContentPolicy::TYPE_OTHER, getter_AddRefs(chan)); NS_ENSURE_STATE(chan); @@ -145,7 +145,7 @@ nsHTTPDownloadEvent::Run() if (NS_SUCCEEDED(rv)) { mStartTime = TimeStamp::Now(); - rv = hchan->AsyncOpen(mListener->mLoader, nullptr); + rv = hchan->AsyncOpen2(mListener->mLoader); } if (NS_FAILED(rv)) { @@ -1006,7 +1006,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { infoObject->GetPort(), versions.max); - bool usesWeakProtocol = false; bool usesWeakCipher = false; SSLChannelInfo channelInfo; rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)); @@ -1018,8 +1017,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { sizeof cipherInfo); MOZ_ASSERT(rv == SECSuccess); if (rv == SECSuccess) { - usesWeakProtocol = - channelInfo.protocolVersion <= SSL_LIBRARY_VERSION_3_0; usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4; DebugOnly KEAUsed; @@ -1044,11 +1041,8 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { ioLayerHelpers.treatUnsafeNegotiationAsBroken(); uint32_t state; - if (usesWeakProtocol || usesWeakCipher || renegotiationUnsafe) { + if (usesWeakCipher || renegotiationUnsafe) { state = nsIWebProgressListener::STATE_IS_BROKEN; - if (usesWeakProtocol) { - state |= nsIWebProgressListener::STATE_USES_SSL_3; - } if (usesWeakCipher) { state |= nsIWebProgressListener::STATE_USES_WEAK_CRYPTO; } @@ -1063,8 +1057,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { // to log the warning. In particular, these warnings should go to the web // console instead of to the error console. Also, the warning is not // localized. - if (!siteSupportsSafeRenego && - ioLayerHelpers.getWarnLevelMissingRFC5746() > 0) { + if (!siteSupportsSafeRenego) { nsXPIDLCString hostName; infoObject->GetHostName(getter_Copies(hostName)); diff --git a/security/manager/ssl/nsNSSCertificate.h b/security/manager/ssl/nsNSSCertificate.h index 77e3ab45bd..ba8f29e302 100644 --- a/security/manager/ssl/nsNSSCertificate.h +++ b/security/manager/ssl/nsNSSCertificate.h @@ -81,7 +81,7 @@ SECStatus ConstructCERTCertListFromReversedDERArray( const mozilla::pkix::DERArray& certArray, /*out*/ mozilla::ScopedCERTCertList& certList); -} // namespcae mozilla +} // namespace mozilla class nsNSSCertList: public nsIX509CertList, public nsISerializable, diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 1f3af8ac77..a0bb4049e3 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -760,9 +760,9 @@ nsNSSComponent::UseWeakCiphersOnSocket(PRFileDesc* fd) } } -// This function will convert from pref values like 0, 1, ... -// to the internal values of SSL_LIBRARY_VERSION_3_0, -// SSL_LIBRARY_VERSION_TLS_1_0, ... +// This function will convert from pref values like 1, 2, ... +// to the internal values of SSL_LIBRARY_VERSION_TLS_1_0, +// SSL_LIBRARY_VERSION_TLS_1_1, ... /*static*/ void nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut, uint32_t minFromPrefs, @@ -771,8 +771,8 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut, { rangeOut = defaults; // determine what versions are supported - SSLVersionRange range; - if (SSL_VersionRangeGetSupported(ssl_variant_stream, &range) + SSLVersionRange supported; + if (SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) != SECSuccess) { return; } @@ -782,7 +782,8 @@ nsNSSComponent::FillTLSVersionRange(SSLVersionRange& rangeOut, maxFromPrefs += SSL_LIBRARY_VERSION_3_0; // if min/maxFromPrefs are invalid, use defaults if (minFromPrefs > maxFromPrefs || - minFromPrefs < range.min || maxFromPrefs > range.max) { + minFromPrefs < supported.min || maxFromPrefs > supported.max || + minFromPrefs < SSL_LIBRARY_VERSION_TLS_1_0) { return; } @@ -946,7 +947,7 @@ nsresult nsNSSComponent::setEnabledTLSVersions() { // keep these values in sync with security-prefs.js - // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc. + // 1 means TLS 1.0, 2 means TLS 1.1, etc. static const uint32_t PSM_DEFAULT_MIN_TLS_VERSION = 1; static const uint32_t PSM_DEFAULT_MAX_TLS_VERSION = 4; diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 3d7192f9c3..ebbfab1d74 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -681,7 +681,7 @@ getSocketInfoIfRunning(PRFileDesc* fd, Operation op, return socketInfo; } -} // unnnamed namespace +} // namespace static PRStatus nsSSLIOLayerConnect(PRFileDesc* fd, const PRNetAddr* addr, @@ -736,7 +736,7 @@ nsSSLIOLayerHelpers::rememberTolerantAtVersion(const nsACString& hostName, mTLSIntoleranceInfo.Put(key, entry); } -void +uint16_t nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName, int16_t port) { @@ -745,10 +745,12 @@ nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName, MutexAutoLock lock(mutex); + uint16_t tolerant = 0; IntoleranceEntry entry; if (mTLSIntoleranceInfo.Get(key, &entry)) { entry.AssertInvariant(); + tolerant = entry.tolerant; entry.intolerant = 0; entry.intoleranceReason = 0; if (entry.strongCipherStatus != StrongCiphersWorked) { @@ -758,6 +760,8 @@ nsSSLIOLayerHelpers::forgetIntolerance(const nsACString& hostName, entry.AssertInvariant(); mTLSIntoleranceInfo.Put(key, entry); } + + return tolerant; } bool @@ -780,7 +784,47 @@ nsSSLIOLayerHelpers::rememberIntolerantAtVersion(const nsACString& hostName, { if (intolerant <= minVersion || fallbackLimitReached(hostName, intolerant)) { // We can't fall back any further. Assume that intolerance isn't the issue. - forgetIntolerance(hostName, port); + uint32_t tolerant = forgetIntolerance(hostName, port); + // If we know the server is tolerant at the version, we don't have to + // gather the telemetry. + if (intolerant <= tolerant) { + return false; + } + + /*uint32_t fallbackLimitBucket = 0; + // added if the version has reached the min version. + if (intolerant <= minVersion) { + switch (minVersion) { + case SSL_LIBRARY_VERSION_TLS_1_0: + fallbackLimitBucket += 1; + break; + case SSL_LIBRARY_VERSION_TLS_1_1: + fallbackLimitBucket += 2; + break; + case SSL_LIBRARY_VERSION_TLS_1_2: + fallbackLimitBucket += 3; + break; + } + } + // added if the version has reached the fallback limit. + if (intolerant <= mVersionFallbackLimit) { + switch (mVersionFallbackLimit) { + case SSL_LIBRARY_VERSION_TLS_1_0: + fallbackLimitBucket += 4; + break; + case SSL_LIBRARY_VERSION_TLS_1_1: + fallbackLimitBucket += 8; + break; + case SSL_LIBRARY_VERSION_TLS_1_2: + fallbackLimitBucket += 12; + break; + } + } + if (fallbackLimitBucket) { + Telemetry::Accumulate(Telemetry::SSL_FALLBACK_LIMIT_REACHED, + fallbackLimitBucket); + }*/ + return false; } @@ -1080,20 +1124,9 @@ retryDueToTLSIntolerance(PRErrorCode err, nsNSSSocketInfo* socketInfo) // When not using a proxy we'll see a connection reset error. // When using a proxy, we'll see an end of file error. - // In addition check for some error codes where it is reasonable - // to retry without TLS. // Don't allow STARTTLS connections to fall back on connection resets or - // EOF. Also, don't fall back from TLS 1.0 to SSL 3.0 for connection - // resets, because connection resets have too many false positives, - // and we want to maximize how often we send TLS 1.0+ with extensions - // if at all reasonable. Unfortunately, it appears we have to allow - // fallback from TLS 1.2 and TLS 1.1 for connection resets due to bad - // servers and possibly bad intermediaries. - if (err == PR_CONNECT_RESET_ERROR && - range.max <= SSL_LIBRARY_VERSION_TLS_1_0) { - return false; - } + // EOF. if ((err == PR_CONNECT_RESET_ERROR || err == PR_END_OF_FILE_ERROR) && socketInfo->GetForSTARTTLS()) { return false; @@ -1203,7 +1236,7 @@ checkHandshake(int32_t bytesTransfered, bool wasReading, return bytesTransfered; } -} +} // namespace static int16_t nsSSLIOLayerPoll(PRFileDesc* fd, int16_t in_flags, int16_t* out_flags) @@ -1255,7 +1288,6 @@ nsSSLIOLayerPoll(PRFileDesc* fd, int16_t in_flags, int16_t* out_flags) nsSSLIOLayerHelpers::nsSSLIOLayerHelpers() : mTreatUnsafeNegotiationAsBroken(false) - , mWarnLevelMissingRFC5746(1) , mTLSIntoleranceInfo() , mFalseStartRequireNPN(false) , mUseStaticFallbackList(true) @@ -1469,10 +1501,6 @@ PrefObserver::Observe(nsISupports* aSubject, const char* aTopic, bool enabled; Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled); mOwner->setTreatUnsafeNegotiationAsBroken(enabled); - } else if (prefName.EqualsLiteral("security.ssl.warn_missing_rfc5746")) { - int32_t warnLevel = 1; - Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel); - mOwner->setWarnLevelMissingRFC5746(warnLevel); } else if (prefName.EqualsLiteral("security.ssl.false_start.require-npn")) { mOwner->mFalseStartRequireNPN = Preferences::GetBool("security.ssl.false_start.require-npn", @@ -1519,8 +1547,6 @@ nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers() if (mPrefObserver) { Preferences::RemoveObserver(mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken"); - Preferences::RemoveObserver(mPrefObserver, - "security.ssl.warn_missing_rfc5746"); Preferences::RemoveObserver(mPrefObserver, "security.ssl.false_start.require-npn"); Preferences::RemoveObserver(mPrefObserver, @@ -1581,10 +1607,6 @@ nsSSLIOLayerHelpers::Init() Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled); setTreatUnsafeNegotiationAsBroken(enabled); - int32_t warnLevel = 1; - Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel); - setWarnLevelMissingRFC5746(warnLevel); - mFalseStartRequireNPN = Preferences::GetBool("security.ssl.false_start.require-npn", FALSE_START_REQUIRE_NPN_DEFAULT); @@ -1600,8 +1622,6 @@ nsSSLIOLayerHelpers::Init() mPrefObserver = new PrefObserver(this); Preferences::AddStrongObserver(mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken"); - Preferences::AddStrongObserver(mPrefObserver, - "security.ssl.warn_missing_rfc5746"); Preferences::AddStrongObserver(mPrefObserver, "security.ssl.false_start.require-npn"); Preferences::AddStrongObserver(mPrefObserver, @@ -1716,20 +1736,6 @@ nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken() return mTreatUnsafeNegotiationAsBroken; } -void -nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(int32_t level) -{ - MutexAutoLock lock(mutex); - mWarnLevelMissingRFC5746 = level; -} - -int32_t -nsSSLIOLayerHelpers::getWarnLevelMissingRFC5746() -{ - MutexAutoLock lock(mutex); - return mWarnLevelMissingRFC5746; -} - nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, diff --git a/security/manager/ssl/nsNSSIOLayer.h b/security/manager/ssl/nsNSSIOLayer.h index 68a27e269a..13b8abad4c 100644 --- a/security/manager/ssl/nsNSSIOLayer.h +++ b/security/manager/ssl/nsNSSIOLayer.h @@ -20,8 +20,8 @@ namespace mozilla { namespace psm { class SharedSSLState; -} -} +} // namespace psm +} // namespace mozilla class nsIObserver; @@ -187,12 +187,9 @@ public: static PRIOMethods nsSSLPlaintextLayerMethods; bool mTreatUnsafeNegotiationAsBroken; - int32_t mWarnLevelMissingRFC5746; void setTreatUnsafeNegotiationAsBroken(bool broken); bool treatUnsafeNegotiationAsBroken(); - void setWarnLevelMissingRFC5746(int32_t level); - int32_t getWarnLevelMissingRFC5746(); private: struct IntoleranceEntry @@ -221,7 +218,9 @@ public: PRErrorCode intoleranceReason); bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port, PRErrorCode intoleranceReason); - void forgetIntolerance(const nsACString& hostname, int16_t port); + // returns the known tolerant version + // or 0 if there is no known tolerant version + uint16_t forgetIntolerance(const nsACString& hostname, int16_t port); void adjustForTLSIntolerance(const nsACString& hostname, int16_t port, /*in/out*/ SSLVersionRange& range, /*out*/ StrongCipherStatus& strongCipherStatus); diff --git a/security/manager/ssl/nsNTLMAuthModule.cpp b/security/manager/ssl/nsNTLMAuthModule.cpp index 0a16a5bf48..55bc1d032a 100644 --- a/security/manager/ssl/nsNTLMAuthModule.cpp +++ b/security/manager/ssl/nsNTLMAuthModule.cpp @@ -538,7 +538,7 @@ GenerateType3Msg(const nsString &domain, uint32_t *outLen) { // inBuf contains Type-2 msg (the challenge) from server - + MOZ_ASSERT(NS_IsMainThread()); nsresult rv; Type2Msg msg; @@ -556,6 +556,7 @@ GenerateType3Msg(const nsString &domain, #ifdef IS_BIG_ENDIAN nsAutoString ucsDomainBuf, ucsUserBuf; #endif + nsAutoCString hostBuf; nsAutoString ucsHostBuf; // temporary buffers for oem strings nsAutoCString oemDomainBuf, oemUserBuf, oemHostBuf; @@ -614,16 +615,18 @@ GenerateType3Msg(const nsString &domain, } // - // get workstation name (use local machine's hostname) + // get workstation name + // (do not use local machine's hostname after bug 1046421) // - char hostBuf[SYS_INFO_BUFFER_LENGTH]; - if (PR_GetSystemInfo(PR_SI_HOSTNAME, hostBuf, sizeof(hostBuf)) == PR_FAILURE) - return NS_ERROR_UNEXPECTED; - hostLen = strlen(hostBuf); + rv = mozilla::Preferences::GetCString("network.generic-ntlm-auth.workstation", + &hostBuf); + if (NS_FAILED(rv)) { + return rv; + } + if (unicode) { - // hostname is ASCII, so we can do a simple zero-pad expansion: - CopyASCIItoUTF16(nsDependentCString(hostBuf, hostLen), ucsHostBuf); + ucsHostBuf = NS_ConvertUTF8toUTF16(hostBuf); hostPtr = ucsHostBuf.get(); hostLen = ucsHostBuf.Length() * 2; #ifdef IS_BIG_ENDIAN @@ -632,7 +635,10 @@ GenerateType3Msg(const nsString &domain, #endif } else - hostPtr = hostBuf; + { + hostPtr = hostBuf.get(); + hostLen = hostBuf.Length(); + } // // now that we have generated all of the strings, we can allocate outBuf. @@ -988,6 +994,7 @@ nsNTLMAuthModule::Init(const char *serviceName, mDomain = domain; mUsername = username; mPassword = password; + mNTLMNegotiateSent = false; return NS_OK; } @@ -1006,16 +1013,29 @@ nsNTLMAuthModule::GetNextToken(const void *inToken, if (PK11_IsFIPS()) return NS_ERROR_NOT_AVAILABLE; - // if inToken is non-null, then assume it contains a type 2 message... - if (inToken) - { - LogToken("in-token", inToken, inTokenLen); - rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken, - inTokenLen, outToken, outTokenLen); - } - else - { - rv = GenerateType1Msg(outToken, outTokenLen); + if (mNTLMNegotiateSent) { + // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1), + // then the NTLMSSP_CHALLENGE (type 2) is expected + if (inToken) { + LogToken("in-token", inToken, inTokenLen); + // Now generate the NTLMSSP_AUTH (type 3) + rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken, + inTokenLen, outToken, outTokenLen); + } else { + LOG(("NTLMSSP_NEGOTIATE already sent and presumably " + "rejected by the server, refusing to send another")); + rv = NS_ERROR_UNEXPECTED; + } + } else { + if (inToken) { + LOG(("NTLMSSP_NEGOTIATE not sent but NTLM reply already received?!?")); + rv = NS_ERROR_UNEXPECTED; + } else { + rv = GenerateType1Msg(outToken, outTokenLen); + if (NS_SUCCEEDED(rv)) { + mNTLMNegotiateSent = true; + } + } } if (NS_SUCCEEDED(rv)) diff --git a/security/manager/ssl/nsNTLMAuthModule.h b/security/manager/ssl/nsNTLMAuthModule.h index 6e14c6d4f1..27bf2999f0 100644 --- a/security/manager/ssl/nsNTLMAuthModule.h +++ b/security/manager/ssl/nsNTLMAuthModule.h @@ -28,6 +28,7 @@ private: nsString mDomain; nsString mUsername; nsString mPassword; + bool mNTLMNegotiateSent; }; #define NS_NTLMAUTHMODULE_CONTRACTID \ diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 602ddd269f..56b35be07a 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -404,15 +404,19 @@ nsSiteSecurityService::ProcessHeader(uint32_t aType, nsISSLStatus* aSSLStatus, uint32_t aFlags, uint64_t* aMaxAge, - bool* aIncludeSubdomains) + bool* aIncludeSubdomains, + uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } NS_ENSURE_TRUE(aType == nsISiteSecurityService::HEADER_HSTS || aType == nsISiteSecurityService::HEADER_HPKP, NS_ERROR_NOT_IMPLEMENTED); NS_ENSURE_ARG(aSSLStatus); return ProcessHeaderInternal(aType, aSourceURI, aHeader, aSSLStatus, aFlags, - aMaxAge, aIncludeSubdomains); + aMaxAge, aIncludeSubdomains, aFailureResult); } NS_IMETHODIMP @@ -421,10 +425,11 @@ nsSiteSecurityService::UnsafeProcessHeader(uint32_t aType, const char* aHeader, uint32_t aFlags, uint64_t* aMaxAge, - bool* aIncludeSubdomains) + bool* aIncludeSubdomains, + uint32_t* aFailureResult) { return ProcessHeaderInternal(aType, aSourceURI, aHeader, nullptr, aFlags, - aMaxAge, aIncludeSubdomains); + aMaxAge, aIncludeSubdomains, aFailureResult); } nsresult @@ -434,8 +439,12 @@ nsSiteSecurityService::ProcessHeaderInternal(uint32_t aType, nsISSLStatus* aSSLStatus, uint32_t aFlags, uint64_t* aMaxAge, - bool* aIncludeSubdomains) + bool* aIncludeSubdomains, + uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } // Only HSTS and HPKP are supported at the moment. NS_ENSURE_TRUE(aType == nsISiteSecurityService::HEADER_HSTS || aType == nsISiteSecurityService::HEADER_HPKP, @@ -466,6 +475,9 @@ nsSiteSecurityService::ProcessHeaderInternal(uint32_t aType, tlsIsBroken = tlsIsBroken || trustcheck; if (tlsIsBroken) { SSSLOG(("SSS: discarding header from untrustworthy connection")); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNTRUSTWORTHY_CONNECTION; + } return NS_ERROR_FAILURE; } } @@ -481,11 +493,11 @@ nsSiteSecurityService::ProcessHeaderInternal(uint32_t aType, switch (aType) { case nsISiteSecurityService::HEADER_HSTS: rv = ProcessSTSHeader(aSourceURI, aHeader, aFlags, aMaxAge, - aIncludeSubdomains); + aIncludeSubdomains, aFailureResult); break; case nsISiteSecurityService::HEADER_HPKP: rv = ProcessPKPHeader(aSourceURI, aHeader, aSSLStatus, aFlags, aMaxAge, - aIncludeSubdomains); + aIncludeSubdomains, aFailureResult); break; default: MOZ_CRASH("unexpected header type"); @@ -493,7 +505,7 @@ nsSiteSecurityService::ProcessHeaderInternal(uint32_t aType, return rv; } -static nsresult +static uint32_t ParseSSSHeaders(uint32_t aType, const char* aHeader, bool& foundIncludeSubdomains, @@ -502,7 +514,7 @@ ParseSSSHeaders(uint32_t aType, int64_t& maxAge, nsTArray& sha256keys) { - // Stric transport security and Public Key Pinning have very similar + // Strict transport security and Public Key Pinning have very similar // Header formats. // "Strict-Transport-Security" ":" OWS @@ -554,7 +566,7 @@ ParseSSSHeaders(uint32_t aType, nsresult rv = parser.Parse(); if (NS_FAILED(rv)) { SSSLOG(("SSS: could not parse header")); - return rv; + return nsISiteSecurityService::ERROR_COULD_NOT_PARSE_HEADER; } mozilla::LinkedList* directives = parser.GetDirectives(); @@ -566,7 +578,7 @@ ParseSSSHeaders(uint32_t aType, max_age_var.Length())) { if (foundMaxAge) { SSSLOG(("SSS: found two max-age directives")); - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_MULTIPLE_MAX_AGES; } SSSLOG(("SSS: found max-age directive")); @@ -577,13 +589,13 @@ ParseSSSHeaders(uint32_t aType, char chr = directive->mValue.CharAt(i); if (chr < '0' || chr > '9') { SSSLOG(("SSS: invalid value for max-age directive")); - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_INVALID_MAX_AGE; } } if (PR_sscanf(directive->mValue.get(), "%lld", &maxAge) != 1) { SSSLOG(("SSS: could not parse delta-seconds")); - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_INVALID_MAX_AGE; } SSSLOG(("SSS: parsed delta-seconds: %lld", maxAge)); @@ -592,7 +604,7 @@ ParseSSSHeaders(uint32_t aType, include_subd_var.Length())) { if (foundIncludeSubdomains) { SSSLOG(("SSS: found two includeSubdomains directives")); - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_MULTIPLE_INCLUDE_SUBDOMAINS; } SSSLOG(("SSS: found includeSubdomains directive")); @@ -601,7 +613,7 @@ ParseSSSHeaders(uint32_t aType, if (directive->mValue.Length() != 0) { SSSLOG(("SSS: includeSubdomains directive unexpectedly had value '%s'", directive->mValue.get())); - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_INVALID_INCLUDE_SUBDOMAINS; } } else if (aType == nsISiteSecurityService::HEADER_HPKP && directive->mName.Length() == pin_sha256_var.Length() && @@ -610,18 +622,18 @@ ParseSSSHeaders(uint32_t aType, SSSLOG(("SSS: found pinning entry '%s' length=%d", directive->mValue.get(), directive->mValue.Length())); if (!stringIsBase64EncodingOf256bitValue(directive->mValue)) { - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_INVALID_PIN; } sha256keys.AppendElement(directive->mValue); } else if (aType == nsISiteSecurityService::HEADER_HPKP && directive->mName.Length() == report_uri_var.Length() && directive->mName.EqualsIgnoreCase(report_uri_var.get(), report_uri_var.Length())) { - // We doni't support the report-uri yet, but to avoid unrecognized + // We don't support the report-uri yet, but to avoid unrecognized // directive warnings, we still have to handle its presence if (foundReportURI) { SSSLOG(("SSS: found two report-uri directives")); - return NS_ERROR_FAILURE; + return nsISiteSecurityService::ERROR_MULTIPLE_REPORT_URIS; } SSSLOG(("SSS: found report-uri directive")); foundReportURI = true; @@ -631,7 +643,7 @@ ParseSSSHeaders(uint32_t aType, foundUnrecognizedDirective = true; } } - return NS_OK; + return nsISiteSecurityService::Success; } nsresult @@ -640,8 +652,12 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, nsISSLStatus* aSSLStatus, uint32_t aFlags, uint64_t* aMaxAge, - bool* aIncludeSubdomains) + bool* aIncludeSubdomains, + uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } SSSLOG(("SSS: processing HPKP header '%s'", aHeader)); NS_ENSURE_ARG(aSSLStatus); @@ -651,15 +667,23 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, bool foundUnrecognizedDirective = false; int64_t maxAge = 0; nsTArray sha256keys; - nsresult rv = ParseSSSHeaders(aType, aHeader, foundIncludeSubdomains, - foundMaxAge, foundUnrecognizedDirective, - maxAge, sha256keys); - NS_ENSURE_SUCCESS(rv, rv); + uint32_t sssrv = ParseSSSHeaders(aType, aHeader, foundIncludeSubdomains, + foundMaxAge, foundUnrecognizedDirective, + maxAge, sha256keys); + if (sssrv != nsISiteSecurityService::Success) { + if (aFailureResult) { + *aFailureResult = sssrv; + } + return NS_ERROR_FAILURE; + } // after processing all the directives, make sure we came across max-age // somewhere. if (!foundMaxAge) { SSSLOG(("SSS: did not encounter required max-age directive")); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_NO_MAX_AGE; + } return NS_ERROR_FAILURE; } @@ -668,7 +692,7 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, // 1. recompute a valid chain (no external ocsp) // 2. use this chain to check if things would have broken! nsAutoCString host; - rv = GetHost(aSourceURI, host); + nsresult rv = GetHost(aSourceURI, host); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr cert; rv = aSSLStatus->GetServerCert(getter_AddRefs(cert)); @@ -714,11 +738,14 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, if (!chainMatchesPinset) { // is invalid SSSLOG(("SSS: Pins provided by %s are invalid no match with certList\n", host.get())); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_PINSET_DOES_NOT_MATCH_CHAIN; + } return NS_ERROR_FAILURE; } // finally we need to ensure that there is a "backup pin" ie. There must be - // at least one fingerprint hash that does NOT valiate against the verified + // at least one fingerprint hash that does NOT validate against the verified // chain (Section 2.5 of the spec) bool hasBackupPin = false; for (uint32_t i = 0; i < sha256keys.Length(); i++) { @@ -736,6 +763,9 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, if (!hasBackupPin) { // is invalid SSSLOG(("SSS: Pins provided by %s are invalid no backupPin\n", host.get())); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_NO_BACKUP_PIN; + } return NS_ERROR_FAILURE; } @@ -746,7 +776,13 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, host.get(), expireTime, PR_Now() / PR_USEC_PER_MSEC, maxAge)); rv = SetHPKPState(host.get(), dynamicEntry, aFlags); - NS_ENSURE_SUCCESS(rv, rv); + if (NS_FAILED(rv)) { + SSSLOG(("SSS: failed to set pins for %s\n", host.get())); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_COULD_NOT_SAVE_STATE; + } + return rv; + } if (aMaxAge != nullptr) { *aMaxAge = (uint64_t)maxAge; @@ -766,8 +802,12 @@ nsSiteSecurityService::ProcessSTSHeader(nsIURI* aSourceURI, const char* aHeader, uint32_t aFlags, uint64_t* aMaxAge, - bool* aIncludeSubdomains) + bool* aIncludeSubdomains, + uint32_t* aFailureResult) { + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; + } SSSLOG(("SSS: processing HSTS header '%s'", aHeader)); const uint32_t aType = nsISiteSecurityService::HEADER_HSTS; @@ -775,22 +815,38 @@ nsSiteSecurityService::ProcessSTSHeader(nsIURI* aSourceURI, bool foundIncludeSubdomains = false; bool foundUnrecognizedDirective = false; int64_t maxAge = 0; - nsTArray unusedSHA256keys; // Requred for sane internal interface + nsTArray unusedSHA256keys; // Required for sane internal interface - nsresult rv = ParseSSSHeaders(aType, aHeader, foundIncludeSubdomains, - foundMaxAge, foundUnrecognizedDirective, - maxAge, unusedSHA256keys); - NS_ENSURE_SUCCESS(rv, rv); + uint32_t sssrv = ParseSSSHeaders(aType, aHeader, foundIncludeSubdomains, + foundMaxAge, foundUnrecognizedDirective, + maxAge, unusedSHA256keys); + if (sssrv != nsISiteSecurityService::Success) { + if (aFailureResult) { + *aFailureResult = sssrv; + } + return NS_ERROR_FAILURE; + } // after processing all the directives, make sure we came across max-age // somewhere. if (!foundMaxAge) { SSSLOG(("SSS: did not encounter required max-age directive")); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_NO_MAX_AGE; + } return NS_ERROR_FAILURE; } // record the successfully parsed header data. - SetHSTSState(aType, aSourceURI, maxAge, foundIncludeSubdomains, aFlags); + nsresult rv = SetHSTSState(aType, aSourceURI, maxAge, foundIncludeSubdomains, + aFlags); + if (NS_FAILED(rv)) { + SSSLOG(("SSS: failed to set STS state")); + if (aFailureResult) { + *aFailureResult = nsISiteSecurityService::ERROR_COULD_NOT_SAVE_STATE; + } + return rv; + } if (aMaxAge != nullptr) { *aMaxAge = (uint64_t)maxAge; diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index c958bfd670..b04747891e 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -132,13 +132,15 @@ private: nsresult ProcessHeaderInternal(uint32_t aType, nsIURI* aSourceURI, const char* aHeader, nsISSLStatus* aSSLStatus, uint32_t aFlags, uint64_t* aMaxAge, - bool* aIncludeSubdomains); + bool* aIncludeSubdomains, + uint32_t* aFailureResult); nsresult ProcessSTSHeader(nsIURI* aSourceURI, const char* aHeader, uint32_t flags, uint64_t* aMaxAge, - bool* aIncludeSubdomains); + bool* aIncludeSubdomains, uint32_t* aFailureResult); nsresult ProcessPKPHeader(nsIURI* aSourceURI, const char* aHeader, nsISSLStatus* aSSLStatus, uint32_t flags, - uint64_t* aMaxAge, bool* aIncludeSubdomains); + uint64_t* aMaxAge, bool* aIncludeSubdomains, + uint32_t* aFailureResult); nsresult SetHPKPState(const char* aHost, SiteHPKPState& entry, uint32_t flags); const nsSTSPreload *GetPreloadListEntry(const char *aHost); diff --git a/netwerk/test/TestSTSParser.cpp b/security/manager/ssl/tests/compiled/TestSTSParser.cpp similarity index 98% rename from netwerk/test/TestSTSParser.cpp rename to security/manager/ssl/tests/compiled/TestSTSParser.cpp index 788cb01b5b..f00617df5b 100644 --- a/netwerk/test/TestSTSParser.cpp +++ b/security/manager/ssl/tests/compiled/TestSTSParser.cpp @@ -44,7 +44,7 @@ TestSuccess(const char* hdr, bool extraTokens, uint64_t maxAge = 0; bool includeSubdomains = false; rv = sss->UnsafeProcessHeader(nsISiteSecurityService::HEADER_HSTS, dummyUri, - hdr, 0, &maxAge, &includeSubdomains); + hdr, 0, &maxAge, &includeSubdomains, nullptr); EXPECT_SUCCESS(rv, "Failed to process valid header: %s", hdr); REQUIRE_EQUAL(maxAge, expectedMaxAge, "Did not correctly parse maxAge"); @@ -69,7 +69,7 @@ bool TestFailure(const char* hdr, EXPECT_SUCCESS(rv, "Failed to create URI"); rv = sss->UnsafeProcessHeader(nsISiteSecurityService::HEADER_HSTS, dummyUri, - hdr, 0, nullptr, nullptr); + hdr, 0, nullptr, nullptr, nullptr); EXPECT_FAILURE(rv, "Parsed invalid header: %s", hdr); passed(hdr); return true; diff --git a/security/manager/ssl/tests/compiled/moz.build b/security/manager/ssl/tests/compiled/moz.build index 26829651e1..4f33a15655 100644 --- a/security/manager/ssl/tests/compiled/moz.build +++ b/security/manager/ssl/tests/compiled/moz.build @@ -4,6 +4,10 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -GeckoCppUnitTests([ - 'TestCertDB', +CppUnitTests([ + 'TestSTSParser', +]) + +GeckoCppUnitTests([ + 'TestCertDB', ]) diff --git a/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp index ffa002d372..5f35e2473b 100644 --- a/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp +++ b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp @@ -21,15 +21,15 @@ protected: TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process) { - helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_3_0; + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, helpers.mVersionFallbackLimit); // No adjustment made when there is no entry for the site. { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus); @@ -41,11 +41,11 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); @@ -55,11 +55,11 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); @@ -69,41 +69,25 @@ TEST_F(TLSIntoleranceTest, Test_Full_Fallback_Process) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); - ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, - range.min, range.max, 0)); - } - - { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, - SSL_LIBRARY_VERSION_TLS_1_2 }; - - StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; - helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.max); - ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); - - ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); - // false because we reached the floor set by range.min ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min, range.max, 0)); } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); // When rememberIntolerantAtVersion returns false, it also resets the // intolerance information for the server. ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); @@ -117,29 +101,15 @@ TEST_F(TLSIntoleranceTest, Test_Disable_Fallback_With_High_Limit) // to mark an origin as version intolerant fail helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2; ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, SSL_LIBRARY_VERSION_TLS_1_0, - 0)); -} - -TEST_F(TLSIntoleranceTest, Test_Fallback_Limit_Default) -{ - // the default limit prevents SSL 3.0 fallback - ASSERT_EQ(helpers.mVersionFallbackLimit, SSL_LIBRARY_VERSION_TLS_1_0); - ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, - SSL_LIBRARY_VERSION_TLS_1_1, - 0)); - ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, SSL_LIBRARY_VERSION_TLS_1_0, 0)); } @@ -153,11 +123,11 @@ TEST_F(TLSIntoleranceTest, Test_Fallback_Limit_Below_Min) SSL_LIBRARY_VERSION_TLS_1_2, 0)); { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus); } @@ -171,15 +141,15 @@ TEST_F(TLSIntoleranceTest, Test_Fallback_Limit_Below_Min) TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_1) { ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } @@ -187,15 +157,15 @@ TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_1) TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_2) { ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_2); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } @@ -206,14 +176,14 @@ TEST_F(TLSIntoleranceTest, Test_Intolerant_Does_Not_Override_Tolerant) helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); // false because we reached the floor set by rememberTolerantAtVersion. ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } @@ -222,16 +192,16 @@ TEST_F(TLSIntoleranceTest, Test_Port_Is_Relevant) { helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2); ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, 1, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, 2, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, 1, range, strongCipherStatus); @@ -239,7 +209,7 @@ TEST_F(TLSIntoleranceTest, Test_Port_Is_Relevant) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, 2, range, strongCipherStatus); @@ -257,12 +227,12 @@ TEST_F(TLSIntoleranceTest, Test_Intolerance_Reason_Initial) TEST_F(TLSIntoleranceTest, Test_Intolerance_Reason_Stored) { - helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_3_0, + helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, SSL_ERROR_BAD_SERVER); ASSERT_EQ(SSL_ERROR_BAD_SERVER, helpers.getIntoleranceReason(HOST, 1)); - helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_3_0, + helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, SSL_ERROR_BAD_MAC_READ); ASSERT_EQ(SSL_ERROR_BAD_MAC_READ, helpers.getIntoleranceReason(HOST, 1)); @@ -272,7 +242,7 @@ TEST_F(TLSIntoleranceTest, Test_Intolerance_Reason_Cleared) { ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1)); - helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_3_0, + helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); ASSERT_EQ(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT, @@ -289,11 +259,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed) ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); @@ -302,11 +272,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); @@ -315,11 +285,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); // When rememberIntolerantAtVersion returns false, it also resets the // intolerance information for the server. ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); @@ -329,11 +299,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed) TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1) { - helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_3_0; + helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_0; // No adjustment made when there is no entry for the site. { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); @@ -342,7 +312,7 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); @@ -350,11 +320,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); @@ -363,11 +333,11 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_At_1_1) } { - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); } @@ -381,15 +351,15 @@ TEST_F(TLSIntoleranceTest, Test_Strong_Ciphers_Failed_With_High_Limit) // ...but weak ciphers fallback will not be disabled ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0)); ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_0, 0)); } @@ -399,11 +369,11 @@ TEST_F(TLSIntoleranceTest, Test_Tolerant_Does_Not_Override_Weak_Ciphers_Fallback ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); // No adjustment made when intolerant is zero. helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersFailed, strongCipherStatus); } @@ -414,11 +384,11 @@ TEST_F(TLSIntoleranceTest, Test_Weak_Ciphers_Fallback_Does_Not_Override_Tolerant helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); // false because strongCipherWorked is set by rememberTolerantAtVersion. ASSERT_FALSE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } @@ -427,15 +397,15 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Intolerance) { { ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus); } @@ -443,11 +413,11 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Intolerance) { helpers.forgetIntolerance(HOST, PORT); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCipherStatusUnknown, strongCipherStatus); } @@ -458,7 +428,7 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Strong_Cipher_Failed) { ASSERT_TRUE(helpers.rememberStrongCiphersFailed(HOST, PORT, 0)); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); @@ -468,7 +438,7 @@ TEST_F(TLSIntoleranceTest, TLS_Forget_Strong_Cipher_Failed) { helpers.forgetIntolerance(HOST, PORT); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); @@ -481,26 +451,26 @@ TEST_F(TLSIntoleranceTest, TLS_Dont_Forget_Tolerance) { helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } { ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, - SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0)); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } @@ -508,11 +478,11 @@ TEST_F(TLSIntoleranceTest, TLS_Dont_Forget_Tolerance) { helpers.forgetIntolerance(HOST, PORT); - SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0, + SSLVersionRange range = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; StrongCipherStatus strongCipherStatus = StrongCipherStatusUnknown; helpers.adjustForTLSIntolerance(HOST, PORT, range, strongCipherStatus); - ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min); + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min); ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max); ASSERT_EQ(StrongCiphersWorked, strongCipherStatus); } diff --git a/security/sandbox/linux/common/SandboxInfo.cpp b/security/sandbox/linux/common/SandboxInfo.cpp index b901cd6752..ddd0920c69 100644 --- a/security/sandbox/linux/common/SandboxInfo.cpp +++ b/security/sandbox/linux/common/SandboxInfo.cpp @@ -17,10 +17,23 @@ #include "base/posix/eintr_wrapper.h" #include "mozilla/Assertions.h" #include "mozilla/ArrayUtils.h" -#include "mozilla/DebugOnly.h" #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" #include "sandbox/linux/services/linux_syscalls.h" +// A note about assertions: in general, the worst thing this module +// should be able to do is disable sandboxing features, so release +// asserts or MOZ_CRASH should be avoided, even for seeming +// impossibilities like an unimplemented syscall returning success +// (which has happened: https://crbug.com/439795 ). +// +// MOZ_DIAGNOSTIC_ASSERT (debug builds, plus Nightly/Aurora non-debug) +// is probably the best choice for conditions that shouldn't be able +// to fail without the help of bugs in the kernel or system libraries. +// +// Regardless of assertion type, whatever condition caused it to fail +// should generally also disable the corresponding feature on builds +// that omit the assertion. + namespace mozilla { static bool @@ -34,12 +47,12 @@ HasSeccompBPF() // enable it with an invalid pointer for the filter. This will // fail with EFAULT if supported and EINVAL if not, without // changing the process's state. - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr) != -1) { - MOZ_CRASH("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr)" - " didn't fail"); - } - MOZ_ASSERT(errno == EFAULT || errno == EINVAL); - return errno == EFAULT; + + int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr); + MOZ_DIAGNOSTIC_ASSERT(rv == -1, "prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER," + " nullptr) didn't fail"); + MOZ_DIAGNOSTIC_ASSERT(errno == EFAULT || errno == EINVAL); + return rv == -1 && errno == EFAULT; } static bool @@ -50,13 +63,12 @@ HasSeccompTSync() if (getenv("MOZ_FAKE_NO_SECCOMP_TSYNC")) { return false; } - if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, - SECCOMP_FILTER_FLAG_TSYNC, nullptr) != -1) { - MOZ_CRASH("seccomp(..., SECCOMP_FILTER_FLAG_TSYNC, nullptr)" - " didn't fail"); - } - MOZ_ASSERT(errno == EFAULT || errno == EINVAL || errno == ENOSYS); - return errno == EFAULT; + int rv = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_TSYNC, nullptr); + MOZ_DIAGNOSTIC_ASSERT(rv == -1, "seccomp(..., SECCOMP_FILTER_FLAG_TSYNC," + " nullptr) didn't fail"); + MOZ_DIAGNOSTIC_ASSERT(errno == EFAULT || errno == EINVAL || errno == ENOSYS); + return rv == -1 && errno == EFAULT; } static bool @@ -132,13 +144,16 @@ CanCreateUserNamespace() // Failure. MOZ_ASSERT(errno == EINVAL || // unsupported errno == EPERM || // root-only, or we're already chrooted - errno == EUSERS); // already inside 32 nested user namespaces + errno == EUSERS); // already at user namespace nesting limit setenv(kCacheEnvName, "0", 1); return false; } // Otherwise, in the parent and successful. - DebugOnly ok = HANDLE_EINTR(waitpid(pid, nullptr, 0)) == pid; - MOZ_ASSERT(ok); + bool waitpid_ok = HANDLE_EINTR(waitpid(pid, nullptr, 0)) == pid; + MOZ_ASSERT(waitpid_ok); + if (!waitpid_ok) { + return false; + } setenv(kCacheEnvName, "1", 1); return true; } diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index c3b782b8f8..9c5db5e9af 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -1264,7 +1264,7 @@ "expires_in_version": "never", "kind": "enumerated", "n_values": 16, - "description": "SSL Version (0=ssl3, 1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3)" + "description": "SSL Version (1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3)" }, "SSL_TIME_UNTIL_READY": { "expires_in_version": "never", @@ -5860,24 +5860,18 @@ "n_values": 64, "description": "Detected symptom of TLS 1.0 intolerance, after considering historical info" }, - "SSL_SSL30_INTOLERANCE_REASON_PRE": { - "expires_in_version": "never", - "kind": "enumerated", - "n_values": 64, - "description": "Detected symptom of SSL 3.0 intolerance, before considering historical info" - }, - "SSL_SSL30_INTOLERANCE_REASON_POST": { - "expires_in_version": "never", - "kind": "enumerated", - "n_values": 64, - "description": "Detected symptom of SSL 3.0 intolerance, after considering historical info" - }, "SSL_VERSION_FALLBACK_INAPPROPRIATE": { "expires_in_version": "never", "kind": "enumerated", "n_values": 64, "description": "TLS/SSL version intolerance was falsely detected, server rejected handshake" }, + "SSL_FALLBACK_LIMIT_REACHED": { + "expires_in_version": "default", + "kind": "enumerated", + "n_values": 16, + "description": "TLS/SSL version fallback reached the fallback limit (1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2) or the minimum version (4=TLS 1.0, 8=TLS 1.1, 12=TLS 1.2), stopped the fallback" + }, "SSL_WEAK_CIPHERS_FALLBACK": { "expires_in_version": "never", "kind": "enumerated",