Bug 1250568 - Adding TLS 1.3 to nsISSLStatus, r=keeler
authorMartin Thomson <martin.thomson@gmail.com>
Mon, 04 Apr 2016 16:21:19 -0300
changeset 298149 d30839422ea9e4afccf4f3f27a417a77c018564c
parent 298148 600ad888b875fb2913fc795d7ec8592257bc181a
child 298150 8550398c99fb9529416a034f6310fd2c5d0911d4
push id30273
push userkwierso@gmail.com
push dateFri, 20 May 2016 21:08:12 +0000
treeherdermozilla-central@c403ac05b8f4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1250568
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1250568 - Adding TLS 1.3 to nsISSLStatus, r=keeler MozReview-Commit-ID: 4mLdtsdFoKN
browser/base/content/pageinfo/security.js
devtools/shared/security/socket.js
devtools/shared/webconsole/network-helper.js
devtools/shared/webconsole/test/unit/test_security-info-protocol-version.js
netwerk/base/nsITLSServerSocket.idl
netwerk/socket/nsISSLSocketControl.idl
security/manager/ssl/nsISSLStatus.idl
--- a/browser/base/content/pageinfo/security.js
+++ b/browser/base/content/pageinfo/security.js
@@ -85,16 +85,19 @@ var security = {
           retval.version = "TLS 1.0";
           break;
         case nsISSLStatus.TLS_VERSION_1_1:
           retval.version = "TLS 1.1";
           break;
         case nsISSLStatus.TLS_VERSION_1_2:
           retval.version = "TLS 1.2"
           break;
+        case nsISSLStatus.TLS_VERSION_1_3:
+          retval.version = "TLS 1.3"
+          break;
       }
 
       return retval;
     } else {
       return {
         hostName : hostName,
         cAName : "",
         encryptionAlgorithm : "",
--- a/devtools/shared/security/socket.js
+++ b/devtools/shared/security/socket.js
@@ -670,17 +670,17 @@ ServerSocketConnection.prototype = {
     /*
      * TODO: These rules should be really be set on the TLS socket directly, but
      * this would need more platform work to expose it via XPCOM.
      *
      * Enforcing cipher suites here would be a bad idea, as we want TLS
      * cipher negotiation to work correctly.  The server already allows only
      * Gecko's normal set of cipher suites.
      */
-    if (clientStatus.tlsVersionUsed != Ci.nsITLSClientStatus.TLS_VERSION_1_2) {
+    if (clientStatus.tlsVersionUsed < Ci.nsITLSClientStatus.TLS_VERSION_1_2) {
       this._handshakeDeferred.reject(Cr.NS_ERROR_CONNECTION_REFUSED);
       return;
     }
 
     this._handshakeDeferred.resolve();
   },
 
   _authenticate: Task.async(function*() {
--- a/devtools/shared/webconsole/network-helper.js
+++ b/devtools/shared/webconsole/network-helper.js
@@ -521,17 +521,17 @@ var NetworkHelper = {
    *                    * "insecure": the connection was not secure (only http)
    *                    * "weak": the connection has minor security issues
    *                    * "broken": secure connection failed (e.g. expired cert)
    *                    * "secure": the connection was properly secured.
    *          If state == broken:
    *            - errorMessage: full error message from
    *                            nsITransportSecurityInfo.
    *          If state == secure:
-   *            - protocolVersion: one of TLSv1, TLSv1.1, TLSv1.2.
+   *            - protocolVersion: one of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.
    *            - cipherSuite: the cipher suite used in this connection.
    *            - cert: information about certificate used in this connection.
    *                    See parseCertificateInfo for the contents.
    *            - hsts: true if host uses Strict Transport Security,
    *                    false otherwise
    *            - hpkp: true if host uses Public Key Pinning, false otherwise
    *          If state == weak: Same as state == secure and
    *            - weaknessReasons: list of reasons that cause the request to be
@@ -705,27 +705,29 @@ var NetworkHelper = {
 
   /**
    * Takes protocolVersion of SSLStatus object and returns human readable
    * description.
    *
    * @param Number version
    *        One of nsISSLStatus version constants.
    * @return string
-   *         One of TLSv1, TLSv1.1, TLSv1.2 if @param version is valid,
-   *         Unknown otherwise.
+   *         One of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 if @param version
+   *         is valid, Unknown otherwise.
    */
   formatSecurityProtocol: function (version) {
     switch (version) {
       case Ci.nsISSLStatus.TLS_VERSION_1:
         return "TLSv1";
       case Ci.nsISSLStatus.TLS_VERSION_1_1:
         return "TLSv1.1";
       case Ci.nsISSLStatus.TLS_VERSION_1_2:
         return "TLSv1.2";
+      case Ci.nsISSLStatus.TLS_VERSION_1_3:
+        return "TLSv1.3";
       default:
         DevToolsUtils.reportException("NetworkHelper.formatSecurityProtocol",
           "protocolVersion " + version + " is unknown.");
         return "Unknown";
     }
   },
 
   /**
--- a/devtools/shared/webconsole/test/unit/test_security-info-protocol-version.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-protocol-version.js
@@ -27,16 +27,20 @@ const TEST_CASES = [
     description: "TLS_VERSION_1.1",
     input: 2,
     expected: "TLSv1.1"
   }, {
     description: "TLS_VERSION_1.2",
     input: 3,
     expected: "TLSv1.2"
   }, {
+    description: "TLS_VERSION_1.3",
+    input: 4,
+    expected: "TLSv1.3"
+  }, {
     description: "invalid version",
     input: -1,
     expected: "Unknown"
   },
 ];
 
 function run_test() {
   do_print("Testing NetworkHelper.formatSecurityProtocol.");
--- a/netwerk/base/nsITLSServerSocket.idl
+++ b/netwerk/base/nsITLSServerSocket.idl
@@ -95,16 +95,17 @@ interface nsITLSClientStatus : nsISuppor
 
   /**
    * Values for tlsVersionUsed, as defined by TLS
    */
   const short SSL_VERSION_3   = 0x0300;
   const short TLS_VERSION_1   = 0x0301;
   const short TLS_VERSION_1_1 = 0x0302;
   const short TLS_VERSION_1_2 = 0x0303;
+  const short TLS_VERSION_1_3 = 0x0304;
   const short TLS_VERSION_UNKNOWN = -1;
 
   /**
    * tlsVersionUsed
    *
    * The version of TLS used by the connection.  See values above.
    */
   readonly attribute short tlsVersionUsed;
--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@@ -78,16 +78,17 @@ interface nsISSLSocketControl : nsISuppo
      */
     readonly attribute uint32_t providerFlags;
 
     /* These values are defined by TLS. */
     const short SSL_VERSION_3   = 0x0300;
     const short TLS_VERSION_1   = 0x0301;
     const short TLS_VERSION_1_1 = 0x0302;
     const short TLS_VERSION_1_2 = 0x0303;
+    const short TLS_VERSION_1_3 = 0x0304;
     const short SSL_VERSION_UNKNOWN = -1;
 
     [infallible] readonly attribute short SSLVersionUsed;
     [infallible] readonly attribute short SSLVersionOffered;
 
     /* These values match the NSS defined values in sslt.h */
     const short SSL_MAC_UNKNOWN = -1;
     const short SSL_MAC_NULL    = 0;
--- a/security/manager/ssl/nsISSLStatus.idl
+++ b/security/manager/ssl/nsISSLStatus.idl
@@ -15,16 +15,17 @@ interface nsISSLStatus : nsISupports {
   readonly attribute ACString cipherName;
   readonly attribute unsigned long keyLength;
   readonly attribute unsigned long secretKeyLength;
 
   const short SSL_VERSION_3   = 0;
   const short TLS_VERSION_1   = 1;
   const short TLS_VERSION_1_1 = 2;
   const short TLS_VERSION_1_2 = 3;
+  const short TLS_VERSION_1_3 = 4;
   readonly attribute unsigned short protocolVersion;
 
   readonly attribute boolean isDomainMismatch;
   readonly attribute boolean isNotValidAtThisTime;
 
   /* Note: To distinguish between
    *         "unstrusted because missing or untrusted issuer"
    *       and