Bug 1644528 - Allow DisabledCiphers policy to enable ciphers. r=keeler, a=jcristau
authorMichael Kaply <mozilla@kaply.com>
Wed, 17 Jun 2020 17:17:04 +0000
changeset 597213 926a371d4880c7f44a2dd183ffaa8bf0cff089da
parent 597212 a5ee1b70990951ef13fc291aa6cb7f53bba75bdf
child 597214 54c5302329fdde190561427e713e0932339f1f3a
push id13299
push userjcristau@mozilla.com
push dateThu, 18 Jun 2020 09:58:53 +0000
treeherdermozilla-beta@3980e18b4919 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, jcristau
bugs1644528
milestone78.0
Bug 1644528 - Allow DisabledCiphers policy to enable ciphers. r=keeler, a=jcristau Differential Revision: https://phabricator.services.mozilla.com/D78966
browser/components/enterprisepolicies/Policies.jsm
browser/components/enterprisepolicies/schemas/policies-schema.json
browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -409,41 +409,80 @@ var Policies = {
         setAndLockPref("pdfjs.disabled", true);
       }
     },
   },
 
   DisabledCiphers: {
     onBeforeAddons(manager, param) {
       if ("TLS_DHE_RSA_WITH_AES_128_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.dhe_rsa_aes_128_sha", false);
+        setAndLockPref(
+          "security.ssl3.dhe_rsa_aes_128_sha",
+          !param.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+        );
       }
       if ("TLS_DHE_RSA_WITH_AES_256_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.dhe_rsa_aes_256_sha", false);
+        setAndLockPref(
+          "security.ssl3.dhe_rsa_aes_256_sha",
+          !param.TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+        );
       }
       if ("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
+        setAndLockPref(
+          "security.ssl3.ecdhe_rsa_aes_128_sha",
+          !param.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+        );
       }
       if ("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
+        setAndLockPref(
+          "security.ssl3.ecdhe_rsa_aes_256_sha",
+          !param.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+        );
       }
       if ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" in param) {
-        setAndLockPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", false);
+        setAndLockPref(
+          "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",
+          !param.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        );
       }
       if ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" in param) {
-        setAndLockPref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", false);
+        setAndLockPref(
+          "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",
+          !param.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        );
       }
       if ("TLS_RSA_WITH_AES_128_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.rsa_aes_128_sha", false);
+        setAndLockPref(
+          "security.ssl3.rsa_aes_128_sha",
+          !param.TLS_RSA_WITH_AES_128_CBC_SHA
+        );
       }
       if ("TLS_RSA_WITH_AES_256_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.rsa_aes_256_sha", false);
+        setAndLockPref(
+          "security.ssl3.rsa_aes_256_sha",
+          !param.TLS_RSA_WITH_AES_256_CBC_SHA
+        );
       }
       if ("TLS_RSA_WITH_3DES_EDE_CBC_SHA" in param) {
-        setAndLockPref("security.ssl3.rsa_des_ede3_sha", false);
+        setAndLockPref(
+          "security.ssl3.rsa_des_ede3_sha",
+          !param.TLS_RSA_WITH_3DES_EDE_CBC_SHA
+        );
+      }
+      if ("TLS_RSA_WITH_AES_128_GCM_SHA256" in param) {
+        setAndLockPref(
+          "security.ssl3.rsa_aes_128_gcm_sha256",
+          !param.TLS_RSA_WITH_AES_128_GCM_SHA256
+        );
+      }
+      if ("TLS_RSA_WITH_AES_256_GCM_SHA384" in param) {
+        setAndLockPref(
+          "security.ssl3.rsa_aes_256_gcm_sha384",
+          !param.TLS_RSA_WITH_AES_256_GCM_SHA384
+        );
       }
     },
   },
 
   DisableDefaultBrowserAgent: {
     // The implementation of this policy is in the default browser agent itself
     // (/toolkit/mozapps/defaultagent); we need an entry for it here so that it
     // shows up in about:policies as a real policy and not as an error.
--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -222,16 +222,22 @@
         "TLS_RSA_WITH_AES_128_CBC_SHA": {
           "type": "boolean"
         },
         "TLS_RSA_WITH_AES_256_CBC_SHA": {
           "type": "boolean"
         },
         "TLS_RSA_WITH_3DES_EDE_CBC_SHA": {
           "type": "boolean"
+        },
+        "TLS_RSA_WITH_AES_128_GCM_SHA256": {
+          "type": "boolean"
+        },
+        "TLS_RSA_WITH_AES_256_GCM_SHA384": {
+          "type": "boolean"
         }
       }
     },
 
     "DisableDefaultBrowserAgent": {
       "type": "boolean"
     },
 
--- a/browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js
+++ b/browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js
@@ -709,16 +709,79 @@ const POLICIES_TESTS = [
         Enabled: false,
         Locked: true,
       },
     },
     lockedPrefs: {
       "media.videocontrols.picture-in-picture.video-toggle.enabled": false,
     },
   },
+
+  // POLICY: DisabledCiphers
+  {
+    policies: {
+      DisabledCiphers: {
+        TLS_DHE_RSA_WITH_AES_128_CBC_SHA: false,
+        TLS_DHE_RSA_WITH_AES_256_CBC_SHA: false,
+        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: false,
+        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: false,
+        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: false,
+        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: false,
+        TLS_RSA_WITH_AES_128_CBC_SHA: false,
+        TLS_RSA_WITH_AES_256_CBC_SHA: false,
+        TLS_RSA_WITH_3DES_EDE_CBC_SHA: false,
+        TLS_RSA_WITH_AES_128_GCM_SHA256: false,
+        TLS_RSA_WITH_AES_256_GCM_SHA384: false,
+      },
+    },
+    lockedPrefs: {
+      "security.ssl3.dhe_rsa_aes_128_sha": true,
+      "security.ssl3.dhe_rsa_aes_256_sha": true,
+      "security.ssl3.ecdhe_rsa_aes_128_sha": true,
+      "security.ssl3.ecdhe_rsa_aes_256_sha": true,
+      "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256": true,
+      "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": true,
+      "security.ssl3.rsa_aes_128_sha": true,
+      "security.ssl3.rsa_aes_256_sha": true,
+      "security.ssl3.rsa_des_ede3_sha": true,
+      "security.ssl3.rsa_aes_128_gcm_sha256": true,
+      "security.ssl3.rsa_aes_256_gcm_sha384": true,
+    },
+  },
+
+  {
+    policies: {
+      DisabledCiphers: {
+        TLS_DHE_RSA_WITH_AES_128_CBC_SHA: true,
+        TLS_DHE_RSA_WITH_AES_256_CBC_SHA: true,
+        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: true,
+        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: true,
+        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true,
+        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true,
+        TLS_RSA_WITH_AES_128_CBC_SHA: true,
+        TLS_RSA_WITH_AES_256_CBC_SHA: true,
+        TLS_RSA_WITH_3DES_EDE_CBC_SHA: true,
+        TLS_RSA_WITH_AES_128_GCM_SHA256: true,
+        TLS_RSA_WITH_AES_256_GCM_SHA384: true,
+      },
+    },
+    lockedPrefs: {
+      "security.ssl3.dhe_rsa_aes_128_sha": false,
+      "security.ssl3.dhe_rsa_aes_256_sha": false,
+      "security.ssl3.ecdhe_rsa_aes_128_sha": false,
+      "security.ssl3.ecdhe_rsa_aes_256_sha": false,
+      "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256": false,
+      "security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256": false,
+      "security.ssl3.rsa_aes_128_sha": false,
+      "security.ssl3.rsa_aes_256_sha": false,
+      "security.ssl3.rsa_des_ede3_sha": false,
+      "security.ssl3.rsa_aes_128_gcm_sha256": false,
+      "security.ssl3.rsa_aes_256_gcm_sha384": false,
+    },
+  },
 ];
 
 add_task(async function test_policy_simple_prefs() {
   for (let test of POLICIES_TESTS) {
     await setupPolicyEngineWithJson({
       policies: test.policies,
     });