author | Patrick McManus <mcmanus@ducksong.com> |
Mon, 25 Nov 2013 18:12:40 -0500 | |
changeset 157623 | 288b02c2e5d1cce0d4e8a88ff7c6e394d5322308 |
parent 157622 | e2f70138f5aaf7d3a0576354c87d0e15d752f20f |
child 157624 | 778a10a2b497e72536d1e7449cc9cd378a02661a |
push id | 36789 |
push user | brian@briansmith.org |
push date | Tue, 26 Nov 2013 22:51:20 +0000 |
treeherder | mozilla-inbound@288b02c2e5d1 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | briansmith |
bugs | 942729 |
milestone | 28.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/netwerk/protocol/http/nsHttp.h +++ b/netwerk/protocol/http/nsHttp.h @@ -66,17 +66,16 @@ typedef uint8_t nsHttpVersion; // a transaction with this flag loads without respect to whether the load // group is currently blocking on some resources #define NS_HTTP_LOAD_UNBLOCKED (1<<8) // These flags allow a transaction to use TLS false start with // weaker security profiles based on past history #define NS_HTTP_ALLOW_RSA_FALSESTART (1<<9) -#define NS_HTTP_ALLOW_RC4_FALSESTART (1<<10) //----------------------------------------------------------------------------- // some default values //----------------------------------------------------------------------------- #define NS_HTTP_DEFAULT_PORT 80 #define NS_HTTPS_DEFAULT_PORT 443
--- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -407,17 +407,17 @@ nsHttpChannel::SpeculativeConnect() nsCOMPtr<nsIInterfaceRequestor> callbacks; NS_NewNotificationCallbacksAggregation(mCallbacks, mLoadGroup, getter_AddRefs(callbacks)); if (!callbacks) return; gHttpHandler->SpeculativeConnect( mConnectionInfo, callbacks, - mCaps & (NS_HTTP_ALLOW_RSA_FALSESTART | NS_HTTP_ALLOW_RC4_FALSESTART | NS_HTTP_DISALLOW_SPDY)); + mCaps & (NS_HTTP_ALLOW_RSA_FALSESTART | NS_HTTP_DISALLOW_SPDY)); } void nsHttpChannel::DoNotifyListenerCleanup() { // We don't need this info anymore CleanRedirectCacheChainIfNecessary(); } @@ -595,22 +595,16 @@ nsHttpChannel::RetrieveSSLOptions() uint32_t perm; nsresult rv = permMgr->TestPermissionFromPrincipal(principal, "falsestart-rsa", &perm); if (NS_SUCCEEDED(rv) && perm == nsIPermissionManager::ALLOW_ACTION) { LOG(("nsHttpChannel::RetrieveSSLOptions [this=%p] " "falsestart-rsa permission found\n", this)); mCaps |= NS_HTTP_ALLOW_RSA_FALSESTART; } - rv = permMgr->TestPermissionFromPrincipal(principal, "falsestart-rc4", &perm); - if (NS_SUCCEEDED(rv) && perm == nsIPermissionManager::ALLOW_ACTION) { - LOG(("nsHttpChannel::RetrieveSSLOptions [this=%p] " - "falsestart-rc4 permission found\n", this)); - mCaps |= NS_HTTP_ALLOW_RC4_FALSESTART; - } } nsresult nsHttpChannel::SetupTransaction() { LOG(("nsHttpChannel::SetupTransaction [this=%p]\n", this)); NS_ENSURE_TRUE(!mTransaction, NS_ERROR_ALREADY_INITIALIZED); @@ -1096,17 +1090,16 @@ nsHttpChannel::IsHTTPS() } void nsHttpChannel::ProcessSSLInformation() { // If this is HTTPS, record any use of RSA so that Key Exchange Algorithm // can be whitelisted for TLS False Start in future sessions. We could // do the same for DH but its rarity doesn't justify the lookup. - // Also do the same for RC4 symmetric ciphers. if (mCanceled || NS_FAILED(mStatus) || !mSecurityInfo || !IsHTTPS() || mPrivateBrowsing) return; nsCOMPtr<nsISSLSocketControl> ssl = do_QueryInterface(mSecurityInfo); nsCOMPtr<nsISSLStatusProvider> statusProvider = do_QueryInterface(mSecurityInfo); @@ -1123,17 +1116,16 @@ nsHttpChannel::ProcessSSLInformation() if (NS_FAILED(sslstat->GetIsDomainMismatch(&trustCheck)) || trustCheck) return; if (NS_FAILED(sslstat->GetIsNotValidAtThisTime(&trustCheck)) || trustCheck) return; if (NS_FAILED(sslstat->GetIsUntrusted(&trustCheck)) || trustCheck) return; int16_t kea = ssl->GetKEAUsed(); - int16_t symcipher = ssl->GetSymmetricCipherUsed(); nsIPrincipal *principal = GetPrincipal(); if (!principal) return; // set a permission manager flag that future transactions can // use via RetrieveSSLOptions(() @@ -1151,27 +1143,16 @@ nsHttpChannel::ProcessSSLInformation() nsIPermissionManager::ALLOW_ACTION, nsIPermissionManager::EXPIRE_TIME, expireTime); LOG(("nsHttpChannel::ProcessSSLInformation [this=%p] " "falsestart-rsa permission granted for this host\n", this)); } else { permMgr->RemoveFromPrincipal(principal, "falsestart-rsa"); } - - if (symcipher == ssl_calg_rc4) { - permMgr->AddFromPrincipal(principal, "falsestart-rc4", - nsIPermissionManager::ALLOW_ACTION, - nsIPermissionManager::EXPIRE_TIME, - expireTime); - LOG(("nsHttpChannel::ProcessSSLInformation [this=%p] " - "falsestart-rc4 permission granted for this host\n", this)); - } else { - permMgr->RemoveFromPrincipal(principal, "falsestart-rc4"); - } } nsresult nsHttpChannel::ProcessResponse() { nsresult rv; uint32_t httpStatus = mResponseHead->Status();
--- a/netwerk/protocol/http/nsHttpConnection.cpp +++ b/netwerk/protocol/http/nsHttpConnection.cpp @@ -386,22 +386,16 @@ nsHttpConnection::SetupSSL(uint32_t caps return; if (caps & NS_HTTP_ALLOW_RSA_FALSESTART) { LOG(("nsHttpConnection::SetupSSL %p " ">= RSA Key Exchange Expected\n", this)); ssl->SetKEAExpected(ssl_kea_rsa); } - if (caps & NS_HTTP_ALLOW_RC4_FALSESTART) { - LOG(("nsHttpConnection::SetupSSL %p " - ">= RC4 Key Exchange Expected\n", this)); - ssl->SetSymmetricCipherExpected(ssl_calg_rc4); - } - nsTArray<nsCString> protocolArray; // The first protocol is used as the fallback if none of the // protocols supported overlap with the server's list. // In the case of overlap, matching priority is driven by // the order of the server's advertisement. protocolArray.AppendElement(NS_LITERAL_CSTRING("http/1.1"));
--- a/netwerk/socket/nsISSLSocketControl.idl +++ b/netwerk/socket/nsISSLSocketControl.idl @@ -9,17 +9,17 @@ interface nsIInterfaceRequestor; %{C++ template<class T> class nsTArray; class nsCString; %} [ref] native nsCStringTArrayRef(nsTArray<nsCString>); -[scriptable, builtinclass, uuid(c5eb9af4-238c-4fc6-bdec-d5ab5e7dce68)] +[scriptable, builtinclass, uuid(5fe25c47-5462-4b85-b946-fc2e20c07cdf)] interface nsISSLSocketControl : nsISupports { attribute nsIInterfaceRequestor notificationCallbacks; void proxyStartSSL(); void StartTLS(); /* NPN (Next Protocol Negotiation) is a mechanism for negotiating the protocol to be spoken inside the SSL @@ -47,30 +47,27 @@ interface nsISSLSocketControl : nsISuppo * a desired NPN negotiated protocol of npnProtocol can use the socket * associated with this object instead of making a new one. */ boolean joinConnection( in ACString npnProtocol, /* e.g. "spdy/2" */ in ACString hostname, in long port); - /* The Key Exchange Algorithm and Symmetric Cipher - is used when determining whether or not to do false start. - After a handshake is complete it can be read from *Used, - before a handshake is started it may be set through *Expected. - The values correspond to the SSLKEAType and SSLCipherAlgorithm - enums in NSS or the *_UNKNOWN constant defined below. + /* The Key Exchange Algorithm is used when determining whether or + not to do false start. + After a handshake is complete it can be read from KEAUsed, + before a handshake is started it may be set through KEAExpected. + The values correspond to the SSLKEAType enum in NSS or the + KEY_EXCHANGE_UNKNOWN constant defined below. */ [infallible] readonly attribute short KEAUsed; [infallible] attribute short KEAExpected; - [infallible] readonly attribute short SymmetricCipherUsed; - [infallible] attribute short SymmetricCipherExpected; const short KEY_EXCHANGE_UNKNOWN = -1; - const short SYMMETRIC_CIPHER_UNKNOWN = -1; /* * The original flags from the socket provider. */ readonly attribute uint32_t providerFlags; };
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -1303,15 +1303,14 @@ void HandshakeCallback(PRFileDesc* fd, v } } Telemetry::Accumulate( infoObject->IsFullHandshake() ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED, cipherInfo.symCipher); - infoObject->SetSymmetricCipherUsed(cipherInfo.symCipher); } } infoObject->NoteTimeUntilReady(); infoObject->SetHandshakeCompleted(); }
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -128,18 +128,16 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedS mFalseStarted(false), mIsFullHandshake(false), mHandshakeCompleted(false), mJoined(false), mSentClientCert(false), mNotedTimeUntilReady(false), mKEAUsed(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN), mKEAExpected(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN), - mSymmetricCipherUsed(nsISSLSocketControl::SYMMETRIC_CIPHER_UNKNOWN), - mSymmetricCipherExpected(nsISSLSocketControl::SYMMETRIC_CIPHER_UNKNOWN), mProviderFlags(providerFlags), mSocketCreationTimestamp(TimeStamp::Now()), mPlaintextBytesRead(0) { mTLSVersionRange.min = 0; mTLSVersionRange.max = 0; } @@ -170,37 +168,16 @@ nsNSSSocketInfo::GetKEAExpected(int16_t NS_IMETHODIMP nsNSSSocketInfo::SetKEAExpected(int16_t aKea) { mKEAExpected = aKea; return NS_OK; } -NS_IMETHODIMP -nsNSSSocketInfo::GetSymmetricCipherUsed(int16_t *aSymmetricCipher) -{ - *aSymmetricCipher = mSymmetricCipherUsed; - return NS_OK; -} - -NS_IMETHODIMP -nsNSSSocketInfo::GetSymmetricCipherExpected(int16_t *aSymmetricCipher) -{ - *aSymmetricCipher = mSymmetricCipherExpected; - return NS_OK; -} - -NS_IMETHODIMP -nsNSSSocketInfo::SetSymmetricCipherExpected(int16_t aSymmetricCipher) -{ - mSymmetricCipherExpected = aSymmetricCipher; - return NS_OK; -} - NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(bool *aRememberClientAuthCertificate) { NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate); *aRememberClientAuthCertificate = mRememberClientAuthCertificate; return NS_OK; } NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(bool aRememberClientAuthCertificate)
--- a/security/manager/ssl/src/nsNSSIOLayer.h +++ b/security/manager/ssl/src/nsNSSIOLayer.h @@ -101,27 +101,16 @@ public: void SetKEAUsed(uint16_t kea) { mKEAUsed = kea; } inline int16_t GetKEAExpected() // infallible in nsISSLSocketControl { int16_t result; mozilla::DebugOnly<nsresult> rv = GetKEAExpected(&result); MOZ_ASSERT(NS_SUCCEEDED(rv)); return result; } - void SetSymmetricCipherUsed(uint16_t symmetricCipher) - { - mSymmetricCipherUsed = symmetricCipher; - } - inline int16_t GetSymmetricCipherExpected() // infallible in nsISSLSocketControl - { - int16_t result; - mozilla::DebugOnly<nsresult> rv = GetSymmetricCipherExpected(&result); - MOZ_ASSERT(NS_SUCCEEDED(rv)); - return result; - } private: PRFileDesc* mFd; CertVerificationState mCertVerificationState; mozilla::psm::SharedSSLState& mSharedState; bool mForSTARTTLS; @@ -138,22 +127,20 @@ private: bool mFalseStartCallbackCalled; bool mFalseStarted; bool mIsFullHandshake; bool mHandshakeCompleted; bool mJoined; bool mSentClientCert; bool mNotedTimeUntilReady; - // mKEA* and mSymmetricCipher* are used in false start detetermination - // values are from nsISSLSocketControl + // mKEA* are used in false start detetermination + // Values are from nsISSLSocketControl int16_t mKEAUsed; int16_t mKEAExpected; - int16_t mSymmetricCipherUsed; - int16_t mSymmetricCipherExpected; uint32_t mProviderFlags; mozilla::TimeStamp mSocketCreationTimestamp; uint64_t mPlaintextBytesRead; }; class nsSSLIOLayerHelpers {