Bug 942729, Part 2: Remove unused expected symmetric cipher mechanism, r=briansmith
authorPatrick McManus <mcmanus@ducksong.com>
Mon, 25 Nov 2013 18:12:40 -0500
changeset 157623 288b02c2e5d1cce0d4e8a88ff7c6e394d5322308
parent 157622 e2f70138f5aaf7d3a0576354c87d0e15d752f20f
child 157624 778a10a2b497e72536d1e7449cc9cd378a02661a
push id36789
push userbrian@briansmith.org
push dateTue, 26 Nov 2013 22:51:20 +0000
treeherdermozilla-inbound@288b02c2e5d1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith
bugs942729
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 942729, Part 2: Remove unused expected symmetric cipher mechanism, r=briansmith
netwerk/protocol/http/nsHttp.h
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpConnection.cpp
netwerk/socket/nsISSLSocketControl.idl
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsNSSIOLayer.h
--- a/netwerk/protocol/http/nsHttp.h
+++ b/netwerk/protocol/http/nsHttp.h
@@ -66,17 +66,16 @@ typedef uint8_t nsHttpVersion;
 
 // a transaction with this flag loads without respect to whether the load
 // group is currently blocking on some resources
 #define NS_HTTP_LOAD_UNBLOCKED       (1<<8)
 
 // These flags allow a transaction to use TLS false start with
 // weaker security profiles based on past history
 #define NS_HTTP_ALLOW_RSA_FALSESTART (1<<9)
-#define NS_HTTP_ALLOW_RC4_FALSESTART (1<<10)
 
 //-----------------------------------------------------------------------------
 // some default values
 //-----------------------------------------------------------------------------
 
 #define NS_HTTP_DEFAULT_PORT  80
 #define NS_HTTPS_DEFAULT_PORT 443
 
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -407,17 +407,17 @@ nsHttpChannel::SpeculativeConnect()
     nsCOMPtr<nsIInterfaceRequestor> callbacks;
     NS_NewNotificationCallbacksAggregation(mCallbacks, mLoadGroup,
                                            getter_AddRefs(callbacks));
     if (!callbacks)
         return;
 
     gHttpHandler->SpeculativeConnect(
         mConnectionInfo, callbacks,
-        mCaps & (NS_HTTP_ALLOW_RSA_FALSESTART | NS_HTTP_ALLOW_RC4_FALSESTART | NS_HTTP_DISALLOW_SPDY));
+        mCaps & (NS_HTTP_ALLOW_RSA_FALSESTART | NS_HTTP_DISALLOW_SPDY));
 }
 
 void
 nsHttpChannel::DoNotifyListenerCleanup()
 {
     // We don't need this info anymore
     CleanRedirectCacheChainIfNecessary();
 }
@@ -595,22 +595,16 @@ nsHttpChannel::RetrieveSSLOptions()
     uint32_t perm;
     nsresult rv = permMgr->TestPermissionFromPrincipal(principal,
                                                        "falsestart-rsa", &perm);
     if (NS_SUCCEEDED(rv) && perm == nsIPermissionManager::ALLOW_ACTION) {
         LOG(("nsHttpChannel::RetrieveSSLOptions [this=%p] "
              "falsestart-rsa permission found\n", this));
         mCaps |= NS_HTTP_ALLOW_RSA_FALSESTART;
     }
-    rv = permMgr->TestPermissionFromPrincipal(principal, "falsestart-rc4", &perm);
-    if (NS_SUCCEEDED(rv) && perm == nsIPermissionManager::ALLOW_ACTION) {
-        LOG(("nsHttpChannel::RetrieveSSLOptions [this=%p] "
-             "falsestart-rc4 permission found\n", this));
-        mCaps |= NS_HTTP_ALLOW_RC4_FALSESTART;
-    }
 }
 
 nsresult
 nsHttpChannel::SetupTransaction()
 {
     LOG(("nsHttpChannel::SetupTransaction [this=%p]\n", this));
 
     NS_ENSURE_TRUE(!mTransaction, NS_ERROR_ALREADY_INITIALIZED);
@@ -1096,17 +1090,16 @@ nsHttpChannel::IsHTTPS()
 }
 
 void
 nsHttpChannel::ProcessSSLInformation()
 {
     // If this is HTTPS, record any use of RSA so that Key Exchange Algorithm
     // can be whitelisted for TLS False Start in future sessions. We could
     // do the same for DH but its rarity doesn't justify the lookup.
-    // Also do the same for RC4 symmetric ciphers.
 
     if (mCanceled || NS_FAILED(mStatus) || !mSecurityInfo ||
         !IsHTTPS() || mPrivateBrowsing)
         return;
 
     nsCOMPtr<nsISSLSocketControl> ssl = do_QueryInterface(mSecurityInfo);
     nsCOMPtr<nsISSLStatusProvider> statusProvider =
         do_QueryInterface(mSecurityInfo);
@@ -1123,17 +1116,16 @@ nsHttpChannel::ProcessSSLInformation()
     if (NS_FAILED(sslstat->GetIsDomainMismatch(&trustCheck)) || trustCheck)
         return;
     if (NS_FAILED(sslstat->GetIsNotValidAtThisTime(&trustCheck)) || trustCheck)
         return;
     if (NS_FAILED(sslstat->GetIsUntrusted(&trustCheck)) || trustCheck)
         return;
 
     int16_t kea = ssl->GetKEAUsed();
-    int16_t symcipher = ssl->GetSymmetricCipherUsed();
 
     nsIPrincipal *principal = GetPrincipal();
     if (!principal)
         return;
 
     // set a permission manager flag that future transactions can
     // use via RetrieveSSLOptions(()
 
@@ -1151,27 +1143,16 @@ nsHttpChannel::ProcessSSLInformation()
                                   nsIPermissionManager::ALLOW_ACTION,
                                   nsIPermissionManager::EXPIRE_TIME,
                                   expireTime);
         LOG(("nsHttpChannel::ProcessSSLInformation [this=%p] "
              "falsestart-rsa permission granted for this host\n", this));
     } else {
         permMgr->RemoveFromPrincipal(principal, "falsestart-rsa");
     }
-
-    if (symcipher == ssl_calg_rc4) {
-        permMgr->AddFromPrincipal(principal, "falsestart-rc4",
-                                  nsIPermissionManager::ALLOW_ACTION,
-                                  nsIPermissionManager::EXPIRE_TIME,
-                                  expireTime);
-        LOG(("nsHttpChannel::ProcessSSLInformation [this=%p] "
-             "falsestart-rc4 permission granted for this host\n", this));
-    } else {
-        permMgr->RemoveFromPrincipal(principal, "falsestart-rc4");
-    }
 }
 
 nsresult
 nsHttpChannel::ProcessResponse()
 {
     nsresult rv;
     uint32_t httpStatus = mResponseHead->Status();
 
--- a/netwerk/protocol/http/nsHttpConnection.cpp
+++ b/netwerk/protocol/http/nsHttpConnection.cpp
@@ -386,22 +386,16 @@ nsHttpConnection::SetupSSL(uint32_t caps
         return;
 
     if (caps & NS_HTTP_ALLOW_RSA_FALSESTART) {
         LOG(("nsHttpConnection::SetupSSL %p "
              ">= RSA Key Exchange Expected\n", this));
         ssl->SetKEAExpected(ssl_kea_rsa);
     }
 
-    if (caps & NS_HTTP_ALLOW_RC4_FALSESTART) {
-        LOG(("nsHttpConnection::SetupSSL %p "
-             ">= RC4 Key Exchange Expected\n", this));
-        ssl->SetSymmetricCipherExpected(ssl_calg_rc4);
-    }
-
     nsTArray<nsCString> protocolArray;
 
     // The first protocol is used as the fallback if none of the
     // protocols supported overlap with the server's list.
     // In the case of overlap, matching priority is driven by
     // the order of the server's advertisement.
     protocolArray.AppendElement(NS_LITERAL_CSTRING("http/1.1"));
 
--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@@ -9,17 +9,17 @@
 interface nsIInterfaceRequestor;
 
 %{C++
 template<class T> class nsTArray;
 class nsCString;
 %}
 [ref] native nsCStringTArrayRef(nsTArray<nsCString>);
 
-[scriptable, builtinclass, uuid(c5eb9af4-238c-4fc6-bdec-d5ab5e7dce68)]
+[scriptable, builtinclass, uuid(5fe25c47-5462-4b85-b946-fc2e20c07cdf)]
 interface nsISSLSocketControl : nsISupports {
     attribute nsIInterfaceRequestor     notificationCallbacks;
 
     void proxyStartSSL();
     void StartTLS();
 
     /* NPN (Next Protocol Negotiation) is a mechanism for
        negotiating the protocol to be spoken inside the SSL
@@ -47,30 +47,27 @@ interface nsISSLSocketControl : nsISuppo
      * a desired NPN negotiated protocol of npnProtocol can use the socket
      * associated with this object instead of making a new one.
      */
     boolean joinConnection(
       in ACString npnProtocol, /* e.g. "spdy/2" */
       in ACString hostname,
       in long port);
 
-    /* The Key Exchange Algorithm and Symmetric Cipher
-       is used when determining whether or not to do false start.
-       After a handshake is complete it can be read from *Used,
-       before a handshake is started it may be set through *Expected.
-       The values correspond to the SSLKEAType and SSLCipherAlgorithm
-       enums in NSS or the *_UNKNOWN constant defined below.
+    /* The Key Exchange Algorithm is used when determining whether or
+       not to do false start.
+       After a handshake is complete it can be read from KEAUsed,
+       before a handshake is started it may be set through KEAExpected.
+       The values correspond to the SSLKEAType enum in NSS or the
+       KEY_EXCHANGE_UNKNOWN constant defined below.
     */
 
     [infallible] readonly attribute short KEAUsed;
     [infallible] attribute short KEAExpected;
-    [infallible] readonly attribute short SymmetricCipherUsed;
-    [infallible] attribute short SymmetricCipherExpected;
 
     const short KEY_EXCHANGE_UNKNOWN = -1;
-    const short SYMMETRIC_CIPHER_UNKNOWN = -1;
 
     /*
      * The original flags from the socket provider.
      */
     readonly attribute uint32_t providerFlags;
 };
 
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1303,15 +1303,14 @@ void HandshakeCallback(PRFileDesc* fd, v
         }
       }
 
       Telemetry::Accumulate(
           infoObject->IsFullHandshake()
             ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
             : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
           cipherInfo.symCipher);
-      infoObject->SetSymmetricCipherUsed(cipherInfo.symCipher);
     }
   }
 
   infoObject->NoteTimeUntilReady();
   infoObject->SetHandshakeCompleted();
 }
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -128,18 +128,16 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedS
     mFalseStarted(false),
     mIsFullHandshake(false),
     mHandshakeCompleted(false),
     mJoined(false),
     mSentClientCert(false),
     mNotedTimeUntilReady(false),
     mKEAUsed(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
     mKEAExpected(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
-    mSymmetricCipherUsed(nsISSLSocketControl::SYMMETRIC_CIPHER_UNKNOWN),
-    mSymmetricCipherExpected(nsISSLSocketControl::SYMMETRIC_CIPHER_UNKNOWN),
     mProviderFlags(providerFlags),
     mSocketCreationTimestamp(TimeStamp::Now()),
     mPlaintextBytesRead(0)
 {
   mTLSVersionRange.min = 0;
   mTLSVersionRange.max = 0;
 }
 
@@ -170,37 +168,16 @@ nsNSSSocketInfo::GetKEAExpected(int16_t 
 
 NS_IMETHODIMP
 nsNSSSocketInfo::SetKEAExpected(int16_t aKea)
 {
   mKEAExpected = aKea;
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsNSSSocketInfo::GetSymmetricCipherUsed(int16_t *aSymmetricCipher)
-{
-  *aSymmetricCipher = mSymmetricCipherUsed;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNSSSocketInfo::GetSymmetricCipherExpected(int16_t *aSymmetricCipher)
-{
-  *aSymmetricCipher = mSymmetricCipherExpected;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNSSSocketInfo::SetSymmetricCipherExpected(int16_t aSymmetricCipher)
-{
-  mSymmetricCipherExpected = aSymmetricCipher;
-  return NS_OK;
-}
-
 NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(bool *aRememberClientAuthCertificate)
 {
   NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
   *aRememberClientAuthCertificate = mRememberClientAuthCertificate;
   return NS_OK;
 }
 
 NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(bool aRememberClientAuthCertificate)
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@@ -101,27 +101,16 @@ public:
   void SetKEAUsed(uint16_t kea) { mKEAUsed = kea; }
   inline int16_t GetKEAExpected() // infallible in nsISSLSocketControl
   {
     int16_t result;
     mozilla::DebugOnly<nsresult> rv = GetKEAExpected(&result);
     MOZ_ASSERT(NS_SUCCEEDED(rv));
     return result;
   }
-  void SetSymmetricCipherUsed(uint16_t symmetricCipher)
-  {
-    mSymmetricCipherUsed = symmetricCipher;
-  }
-  inline int16_t GetSymmetricCipherExpected() // infallible in nsISSLSocketControl
-  {
-    int16_t result;
-    mozilla::DebugOnly<nsresult> rv = GetSymmetricCipherExpected(&result);
-    MOZ_ASSERT(NS_SUCCEEDED(rv));
-    return result;
-  }
 
 private:
   PRFileDesc* mFd;
 
   CertVerificationState mCertVerificationState;
 
   mozilla::psm::SharedSSLState& mSharedState;
   bool mForSTARTTLS;
@@ -138,22 +127,20 @@ private:
   bool      mFalseStartCallbackCalled;
   bool      mFalseStarted;
   bool      mIsFullHandshake;
   bool      mHandshakeCompleted;
   bool      mJoined;
   bool      mSentClientCert;
   bool      mNotedTimeUntilReady;
 
-  // mKEA* and mSymmetricCipher* are used in false start detetermination
-  // values are from nsISSLSocketControl
+  // mKEA* are used in false start detetermination
+  // Values are from nsISSLSocketControl
   int16_t mKEAUsed;
   int16_t mKEAExpected;
-  int16_t mSymmetricCipherUsed;
-  int16_t mSymmetricCipherExpected;
 
   uint32_t mProviderFlags;
   mozilla::TimeStamp mSocketCreationTimestamp;
   uint64_t mPlaintextBytesRead;
 };
 
 class nsSSLIOLayerHelpers
 {