[tor-browser] branch tor-browser-91.13.0esr-11.5-1 updated (01085f53eece2 -> a4c279e9f8e5e)
This is an automated email from the git hooks/post-receive script. richard pushed a change to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. from 01085f53eece2 Bug 11698: Incorporate Tor Browser Manual pages into Tor Browser new 5eba1842a0124 fixup! Firefox preference overrides. new 59ba109bb0c8a Bug 1722489 - Evaluate HSTS before https-only in NS_ShouldSecureUpgrade. r=ckerschb,necko-reviewers,kershaw new 6886d4968b891 Bug 1724080: Have https-first and https-only rules apply to speculative connections r=kershaw new b8f5ec1fdc68d fixup! Omnibox: Add DDG, Startpage, Disconnect, Youtube, Twitter; remove Amazon, eBay, bing new 0db9a71fed279 Bug 41089: Add tor-browser build scripts + Makefile to tor-browser new f1d4307fb949d fixup! Bug 41089: Add tor-browser build scripts + Makefile to tor-browser new 25dea5a6c3e74 fixup! Bug 26961: New user onboarding. new a4c279e9f8e5e fixup! Bug 23247: Communicating security expectations for .onion The 8 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .gitignore | 3 + browser/app/profile/001-base-profile.js | 12 + browser/base/content/browser-siteIdentity.js | 6 +- .../google/_locales/region-by/messages.json | 20 -- .../google/_locales/region-kz/messages.json | 20 -- .../google/_locales/region-ru/messages.json | 20 -- .../google/_locales/region-tr/messages.json | 20 -- .../extensions/onboarding/content/Onboarding.jsm | 2 +- .../en-US/chrome/security/security.properties | 6 + dom/security/nsHTTPSOnlyUtils.cpp | 24 +- dom/security/test/https-first/browser.ini | 2 + .../browser_httpsfirst_speculative_connect.js | 69 ++++ .../https-first/browser_mixed_content_console.js | 2 +- .../file_httpsfirst_speculative_connect.html | 1 + dom/security/test/https-only/browser.ini | 5 + dom/security/test/https-only/browser_hsts_host.js | 111 +++++++ .../browser_httpsonly_speculative_connect.js | 69 ++++ .../file_httpsonly_speculative_connect.html | 1 + dom/security/test/https-only/hsts_headers.sjs | 24 ++ netwerk/base/nsIOService.cpp | 22 ++ netwerk/base/nsNetUtil.cpp | 354 ++++++++++++--------- security/certverifier/CertVerifier.cpp | 22 +- security/manager/ssl/SSLServerCertVerification.cpp | 15 +- security/manager/ssl/nsNSSIOLayer.cpp | 13 +- security/nss/lib/mozpkix/include/pkix/Result.h | 2 + security/nss/lib/mozpkix/include/pkix/pkixnss.h | 1 + tools/torbrowser/Makefile | 44 +++ tools/torbrowser/bridges.js | 77 +++++ tools/torbrowser/build.sh | 7 + tools/torbrowser/clobber.sh | 6 + tools/torbrowser/config.sh | 6 + tools/torbrowser/deploy.sh | 23 ++ tools/torbrowser/fetch.sh | 30 ++ tools/torbrowser/ide.sh | 8 + tools/torbrowser/jslint.sh | 8 + 35 files changed, 799 insertions(+), 256 deletions(-) delete mode 100644 browser/components/search/extensions/google/_locales/region-by/messages.json delete mode 100644 browser/components/search/extensions/google/_locales/region-kz/messages.json delete mode 100644 browser/components/search/extensions/google/_locales/region-ru/messages.json delete mode 100644 browser/components/search/extensions/google/_locales/region-tr/messages.json create mode 100644 dom/security/test/https-first/browser_httpsfirst_speculative_connect.js create mode 100644 dom/security/test/https-first/file_httpsfirst_speculative_connect.html create mode 100644 dom/security/test/https-only/browser_hsts_host.js create mode 100644 dom/security/test/https-only/browser_httpsonly_speculative_connect.js create mode 100644 dom/security/test/https-only/file_httpsonly_speculative_connect.html create mode 100644 dom/security/test/https-only/hsts_headers.sjs create mode 100644 tools/torbrowser/Makefile create mode 100644 tools/torbrowser/bridges.js create mode 100755 tools/torbrowser/build.sh create mode 100755 tools/torbrowser/clobber.sh create mode 100755 tools/torbrowser/config.sh create mode 100755 tools/torbrowser/deploy.sh create mode 100755 tools/torbrowser/fetch.sh create mode 100755 tools/torbrowser/ide.sh create mode 100755 tools/torbrowser/jslint.sh -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit 5eba1842a0124ea28e7f211d7cb6fdb1793e6e3b Author: Richard Pospesel <richard@torproject.org> AuthorDate: Thu Aug 4 09:00:02 2022 +0000 fixup! Firefox preference overrides. Bug 27719: Treat unsafe renegotiation as broken --- browser/app/profile/001-base-profile.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/browser/app/profile/001-base-profile.js b/browser/app/profile/001-base-profile.js index 79538d3e809ee..2752e95313751 100644 --- a/browser/app/profile/001-base-profile.js +++ b/browser/app/profile/001-base-profile.js @@ -64,6 +64,18 @@ pref("media.memory_cache_max_size", 16384); pref("dom.security.https_only_mode", true); pref("dom.security.https_only_mode.upgrade_onion", false); +// Require Safe Negotiation ( https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27719 ) +// Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a +// MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations +// but the problem is that the browser can't know that. Setting this pref to true is the only way for the +// browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server +// [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4] +// [1] https://wiki.mozilla.org/Security:Renegotiation +// [2] https://datatracker.ietf.org/doc/html/rfc5746 +// [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 +// [4] https://www.ssllabs.com/ssl-pulse/ +pref("security.ssl.require_safe_negotiation", true); + // Misc privacy: Remote pref("browser.send_pings", false); pref("geo.enabled", false); -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit 59ba109bb0c8a3967e80d047569beef159f73db3 Author: lyavor <lyavor@mozilla.com> AuthorDate: Mon Oct 11 13:51:53 2021 +0000 Bug 1722489 - Evaluate HSTS before https-only in NS_ShouldSecureUpgrade. r=ckerschb,necko-reviewers,kershaw Differential Revision: https://phabricator.services.mozilla.com/D126238 --- dom/security/test/https-only/browser.ini | 3 + dom/security/test/https-only/browser_hsts_host.js | 111 +++++++ dom/security/test/https-only/hsts_headers.sjs | 24 ++ netwerk/base/nsNetUtil.cpp | 354 ++++++++++++---------- 4 files changed, 338 insertions(+), 154 deletions(-) diff --git a/dom/security/test/https-only/browser.ini b/dom/security/test/https-only/browser.ini index bfe3b05140614..5797ace1adb1d 100644 --- a/dom/security/test/https-only/browser.ini +++ b/dom/security/test/https-only/browser.ini @@ -16,3 +16,6 @@ support-files = [browser_user_gesture.js] support-files = file_user_gesture.html +[browser_hsts_host.js] +support-files = + hsts_headers.sjs diff --git a/dom/security/test/https-only/browser_hsts_host.js b/dom/security/test/https-only/browser_hsts_host.js new file mode 100644 index 0000000000000..2bef7ffe44813 --- /dev/null +++ b/dom/security/test/https-only/browser_hsts_host.js @@ -0,0 +1,111 @@ +// Bug 1722489 - HTTPS-Only Mode - Tests evaluation order +// https://bugzilla.mozilla.org/show_bug.cgi?id=1722489 +// This test ensures that an http request to an hsts host +// gets upgraded by hsts and not by https-only. +"use strict"; + +// Set bools to track that tests ended. +let readMessage = false; +let testFinished = false; +// Visit a secure site that sends an HSTS header to set up the rest of the +// test. +add_task(async function see_hsts_header() { + let setHstsUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers.sjs"; + Services.obs.addObserver(observer, "http-on-examine-response"); + await BrowserTestUtils.loadURI(gBrowser.selectedBrowser, setHstsUrl); + + await BrowserTestUtils.waitForCondition(() => readMessage); + // Clean up + Services.obs.removeObserver(observer, "http-on-examine-response"); +}); + +// Test that HTTPS_Only is not performed if HSTS host is visited. +add_task(async function() { + // A longer timeout is necessary for this test than the plain mochitests + // due to opening a new tab with the web console. + requestLongerTimeout(4); + + // Enable HTTPS-Only Mode and register console-listener + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.https_only_mode", true]], + }); + Services.console.registerListener(onNewMessage); + const RESOURCE_LINK = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" + ) + "hsts_headers.sjs"; + + // 1. Upgrade page to https:// + await BrowserTestUtils.loadURI(gBrowser.selectedBrowser, RESOURCE_LINK); + + await BrowserTestUtils.waitForCondition(() => testFinished); + + // Clean up + Services.console.unregisterListener(onNewMessage); +}); + +add_task(async function() { + // Reset HSTS header + readMessage = false; + let clearHstsUrl = + getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" + ) + "hsts_headers.sjs?reset"; + + Services.obs.addObserver(observer, "http-on-examine-response"); + // reset hsts header + await BrowserTestUtils.loadURI(gBrowser.selectedBrowser, clearHstsUrl); + await BrowserTestUtils.waitForCondition(() => readMessage); + // Clean up + Services.obs.removeObserver(observer, "http-on-examine-response"); +}); + +function observer(subject, topic, state) { + info("observer called with " + topic); + if (topic == "http-on-examine-response") { + onExamineResponse(subject); + } +} + +function onExamineResponse(subject) { + let channel = subject.QueryInterface(Ci.nsIHttpChannel); + info("onExamineResponse with " + channel.URI.spec); + if (channel.URI.spec.includes("reset")) { + try { + let hsts = channel.getResponseHeader("Strict-Transport-Security"); + is(hsts, "max-age=0", "HSTS header is not set"); + } catch (e) { + ok(false, "HSTS header still set"); + } + readMessage = true; + return; + } + try { + let hsts = channel.getResponseHeader("Strict-Transport-Security"); + let csp = channel.getResponseHeader("Content-Security-Policy"); + // Check that HSTS and CSP upgrade headers are set + is(hsts, "max-age=60", "HSTS header is set"); + is(csp, "upgrade-insecure-requests", "CSP header is set"); + } catch (e) { + ok(false, "No header set"); + } + readMessage = true; +} + +function onNewMessage(msgObj) { + const message = msgObj.message; + // ensure that request is not upgraded HTTPS-Only. + if (message.includes("Upgrading insecure request")) { + ok(false, "Top-Level upgrade shouldn't get logged"); + testFinished = true; + } else if (gBrowser.selectedBrowser.currentURI.scheme === "https") { + ok(true, "Top-Level upgrade shouldn't get logged"); + testFinished = true; + } +} diff --git a/dom/security/test/https-only/hsts_headers.sjs b/dom/security/test/https-only/hsts_headers.sjs new file mode 100644 index 0000000000000..72e82caaf3466 --- /dev/null +++ b/dom/security/test/https-only/hsts_headers.sjs @@ -0,0 +1,24 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +function handleRequest(request, response) { + if (request.queryString === "reset") { + // Reset the HSTS policy, prevent influencing other tests + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Strict-Transport-Security", "max-age=0"); + response.write("Resetting HSTS"); + return; + } + let hstsHeader = "max-age=60"; + response.setHeader("Strict-Transport-Security", hstsHeader); + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + // Set header for csp upgrade + response.setHeader( + "Content-Security-Policy", + "upgrade-insecure-requests", + false + ); + response.setStatusLine(request.httpVersion, 200); + response.write("<!DOCTYPE html><html><body><h1>Ok!</h1></body></html>"); +} diff --git a/netwerk/base/nsNetUtil.cpp b/netwerk/base/nsNetUtil.cpp index e7602ce75e3b4..824f0979e506e 100644 --- a/netwerk/base/nsNetUtil.cpp +++ b/netwerk/base/nsNetUtil.cpp @@ -2827,6 +2827,112 @@ bool NS_IsSrcdocChannel(nsIChannel* aChannel) { return false; } +// helper function for NS_ShouldSecureUpgrade for checking HSTS +bool handleResultFunc(bool aAllowSTS, bool aIsStsHost, uint32_t aHstsSource) { + if (aIsStsHost) { + LOG(("nsHttpChannel::Connect() STS permissions found\n")); + if (aAllowSTS) { + Telemetry::AccumulateCategorical( + Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::STS); + switch (aHstsSource) { + case nsISiteSecurityService::SOURCE_PRELOAD_LIST: + Telemetry::Accumulate(Telemetry::HSTS_UPGRADE_SOURCE, 0); + break; + case nsISiteSecurityService::SOURCE_ORGANIC_REQUEST: + Telemetry::Accumulate(Telemetry::HSTS_UPGRADE_SOURCE, 1); + break; + case nsISiteSecurityService::SOURCE_UNKNOWN: + default: + // record this as an organic request + Telemetry::Accumulate(Telemetry::HSTS_UPGRADE_SOURCE, 1); + break; + } + return true; + } + Telemetry::AccumulateCategorical( + Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::PrefBlockedSTS); + } else { + Telemetry::AccumulateCategorical( + Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::NoReasonToUpgrade); + } + return false; +}; +// That function is a helper function of NS_ShouldSecureUpgrade to check if +// CSP upgrade-insecure-requests, Mixed content auto upgrading or HTTPs-Only/- +// First should upgrade the given request. +static bool ShouldSecureUpgradeNoHSTS(nsIURI* aURI, nsILoadInfo* aLoadInfo) { + // 2. CSP upgrade-insecure-requests + if (aLoadInfo->GetUpgradeInsecureRequests()) { + // let's log a message to the console that we are upgrading a request + nsAutoCString scheme; + aURI->GetScheme(scheme); + // append the additional 's' for security to the scheme :-) + scheme.AppendLiteral("s"); + NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); + NS_ConvertUTF8toUTF16 reportScheme(scheme); + AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; + uint32_t innerWindowId = aLoadInfo->GetInnerWindowID(); + CSP_LogLocalizedStr("upgradeInsecureRequest", params, + u""_ns, // aSourceFile + u""_ns, // aScriptSample + 0, // aLineNumber + 0, // aColumnNumber + nsIScriptError::warningFlag, + "upgradeInsecureRequest"_ns, innerWindowId, + !!aLoadInfo->GetOriginAttributes().mPrivateBrowsingId); + Telemetry::AccumulateCategorical( + Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::CSP); + return true; + } + // 3. Mixed content auto upgrading + if (aLoadInfo->GetBrowserUpgradeInsecureRequests()) { + // let's log a message to the console that we are upgrading a request + nsAutoCString scheme; + aURI->GetScheme(scheme); + // append the additional 's' for security to the scheme :-) + scheme.AppendLiteral("s"); + NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); + NS_ConvertUTF8toUTF16 reportScheme(scheme); + AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; + + nsAutoString localizedMsg; + nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES, + "MixedContentAutoUpgrade", params, + localizedMsg); + + // Prepending ixed Content to the outgoing console message + nsString message; + message.AppendLiteral(u"Mixed Content: "); + message.Append(localizedMsg); + + uint32_t innerWindowId = aLoadInfo->GetInnerWindowID(); + nsContentUtils::ReportToConsoleByWindowID( + message, nsIScriptError::warningFlag, "Mixed Content Message"_ns, + innerWindowId, aURI); + + // Set this flag so we know we'll upgrade because of + // 'security.mixed_content.upgrade_display_content'. + aLoadInfo->SetBrowserDidUpgradeInsecureRequests(true); + Telemetry::AccumulateCategorical( + Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::BrowserDisplay); + + return true; + } + + // 4. Https-Only / -First + if (nsHTTPSOnlyUtils::ShouldUpgradeRequest(aURI, aLoadInfo) || + nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(aURI, aLoadInfo)) { + return true; + } + return false; +} + +// Check if channel should be upgraded. check in the following order: +// 1. HSTS +// 2. CSP upgrade-insecure-requests +// 3. Mixed content auto upgrading +// 4. Https-Only / first +// (5. Https RR - will be checked in nsHttpChannel) nsresult NS_ShouldSecureUpgrade( nsIURI* aURI, nsILoadInfo* aLoadInfo, nsIPrincipal* aChannelResultPrincipal, bool aPrivateBrowsing, bool aAllowSTS, @@ -2839,6 +2945,7 @@ nsresult NS_ShouldSecureUpgrade( } aWillCallback = false; + aShouldUpgrade = false; // Even if we're in private browsing mode, we still enforce existing STS // data (it is read-only). @@ -2846,166 +2953,105 @@ nsresult NS_ShouldSecureUpgrade( // a superdomain wants to force HTTPS, do it. bool isHttps = aURI->SchemeIs("https"); - if (!isHttps && - !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(aURI)) { - if (aLoadInfo) { - // Check if the request can get upgraded with the HTTPS-Only mode - if (nsHTTPSOnlyUtils::ShouldUpgradeRequest(aURI, aLoadInfo) || - nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(aURI, aLoadInfo)) { - aShouldUpgrade = true; - return NS_OK; - } - - // If any of the documents up the chain to the root document makes use of - // the CSP directive 'upgrade-insecure-requests', then it's time to - // fulfill the promise to CSP and mixed content blocking to upgrade the - // channel from http to https. - if (aLoadInfo->GetUpgradeInsecureRequests() || - aLoadInfo->GetBrowserUpgradeInsecureRequests()) { - // let's log a message to the console that we are upgrading a request - nsAutoCString scheme; - aURI->GetScheme(scheme); - // append the additional 's' for security to the scheme :-) - scheme.AppendLiteral("s"); - NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); - NS_ConvertUTF8toUTF16 reportScheme(scheme); - - if (aLoadInfo->GetUpgradeInsecureRequests()) { - AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; - uint32_t innerWindowId = aLoadInfo->GetInnerWindowID(); - CSP_LogLocalizedStr( - "upgradeInsecureRequest", params, - u""_ns, // aSourceFile - u""_ns, // aScriptSample - 0, // aLineNumber - 0, // aColumnNumber - nsIScriptError::warningFlag, "upgradeInsecureRequest"_ns, - innerWindowId, - !!aLoadInfo->GetOriginAttributes().mPrivateBrowsingId); - Telemetry::AccumulateCategorical( - Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::CSP); - } else { - AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; - - nsAutoString localizedMsg; - nsContentUtils::FormatLocalizedString( - nsContentUtils::eSECURITY_PROPERTIES, "MixedContentAutoUpgrade", - params, localizedMsg); - - // Prepending ixed Content to the outgoing console message - nsString message; - message.AppendLiteral(u"Mixed Content: "); - message.Append(localizedMsg); - - uint32_t innerWindowId = aLoadInfo->GetInnerWindowID(); - nsContentUtils::ReportToConsoleByWindowID( - message, nsIScriptError::warningFlag, "Mixed Content Message"_ns, - innerWindowId, aURI); - - // Set this flag so we know we'll upgrade because of - // 'security.mixed_content.upgrade_display_content'. - aLoadInfo->SetBrowserDidUpgradeInsecureRequests(true); - Telemetry::AccumulateCategorical( - Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::BrowserDisplay); - } - - aShouldUpgrade = true; - return NS_OK; - } - } - - // enforce Strict-Transport-Security - nsISiteSecurityService* sss = gHttpHandler->GetSSService(); - NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY); - - bool isStsHost = false; - uint32_t hstsSource = 0; - uint32_t flags = - aPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0; - - auto handleResultFunc = [aAllowSTS](bool aIsStsHost, uint32_t aHstsSource) { - if (aIsStsHost) { - LOG(("nsHttpChannel::Connect() STS permissions found\n")); - if (aAllowSTS) { - Telemetry::AccumulateCategorical( - Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::STS); - switch (aHstsSource) { - case nsISiteSecurityService::SOURCE_PRELOAD_LIST: - Telemetry::Accumulate(Telemetry::HSTS_UPGRADE_SOURCE, 0); - break; - case nsISiteSecurityService::SOURCE_ORGANIC_REQUEST: - Telemetry::Accumulate(Telemetry::HSTS_UPGRADE_SOURCE, 1); - break; - case nsISiteSecurityService::SOURCE_UNKNOWN: - default: - // record this as an organic request - Telemetry::Accumulate(Telemetry::HSTS_UPGRADE_SOURCE, 1); - break; - } - return true; - } - Telemetry::AccumulateCategorical( - Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::PrefBlockedSTS); - } else { - Telemetry::AccumulateCategorical( - Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::NoReasonToUpgrade); + // If request is https, then there is nothing to do here. + if (isHttps) { + Telemetry::AccumulateCategorical( + Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::AlreadyHTTPS); + aShouldUpgrade = false; + return NS_OK; + } + // If it is a mixed content trustworthy loopback, then we shouldn't upgrade + // it. + if (nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(aURI)) { + aShouldUpgrade = false; + return NS_OK; + } + // If no loadInfo exist there is nothing to upgrade here. + if (!aLoadInfo) { + aShouldUpgrade = false; + return NS_OK; + } + MOZ_ASSERT(!aURI->SchemeIs("https")); + + // enforce Strict-Transport-Security + nsISiteSecurityService* sss = gHttpHandler->GetSSService(); + NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY); + + bool isStsHost = false; + uint32_t hstsSource = 0; + uint32_t flags = + aPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0; + // Calling |IsSecureURI| before the storage is ready to read will + // block the main thread. Once the storage is ready, we can call it + // from main thread. + static Atomic<bool, Relaxed> storageReady(false); + if (!storageReady && gSocketTransportService && aResultCallback) { + nsCOMPtr<nsILoadInfo> loadInfo = aLoadInfo; + nsCOMPtr<nsIURI> uri = aURI; + auto callbackWrapper = [resultCallback{std::move(aResultCallback)}, uri, + loadInfo](bool aShouldUpgrade, nsresult aStatus) { + MOZ_ASSERT(NS_IsMainThread()); + + // 1. HSTS upgrade + if (aShouldUpgrade || NS_FAILED(aStatus)) { + resultCallback(aShouldUpgrade, aStatus); + return; } - return false; + // Check if we need to upgrade because of other reasons. + // 2. CSP upgrade-insecure-requests + // 3. Mixed content auto upgrading + // 4. Https-Only / first + bool shouldUpgrade = ShouldSecureUpgradeNoHSTS(uri, loadInfo); + resultCallback(shouldUpgrade, aStatus); }; + nsCOMPtr<nsISiteSecurityService> service = sss; + nsresult rv = gSocketTransportService->Dispatch( + NS_NewRunnableFunction( + "net::NS_ShouldSecureUpgrade", + [service{std::move(service)}, uri{std::move(uri)}, flags(flags), + originAttributes(aOriginAttributes), + handleResultFunc{std::move(handleResultFunc)}, + callbackWrapper{std::move(callbackWrapper)}, + allowSTS{std::move(aAllowSTS)}]() mutable { + bool isStsHost = false; + uint32_t hstsSource = 0; + nsresult rv = + service->IsSecureURI(uri, flags, originAttributes, nullptr, + &hstsSource, &isStsHost); + + // Successfully get the result from |IsSecureURI| implies that + // the storage is ready to read. + storageReady = NS_SUCCEEDED(rv); + bool shouldUpgrade = + handleResultFunc(allowSTS, isStsHost, hstsSource); + // Check if request should be upgraded. + NS_DispatchToMainThread(NS_NewRunnableFunction( + "net::NS_ShouldSecureUpgrade::ResultCallback", + [rv, shouldUpgrade, + callbackWrapper{std::move(callbackWrapper)}]() { + callbackWrapper(shouldUpgrade, rv); + })); + }), + NS_DISPATCH_NORMAL); + aWillCallback = NS_SUCCEEDED(rv); + return rv; + } - // Calling |IsSecureURI| before the storage is ready to read will - // block the main thread. Once the storage is ready, we can call it - // from main thread. - static Atomic<bool, Relaxed> storageReady(false); - if (!storageReady && gSocketTransportService && aResultCallback) { - nsCOMPtr<nsIURI> uri = aURI; - nsCOMPtr<nsISiteSecurityService> service = sss; - nsresult rv = gSocketTransportService->Dispatch( - NS_NewRunnableFunction( - "net::NS_ShouldSecureUpgrade", - [service{std::move(service)}, uri{std::move(uri)}, flags(flags), - originAttributes(aOriginAttributes), - handleResultFunc{std::move(handleResultFunc)}, - resultCallback{std::move(aResultCallback)}]() mutable { - uint32_t hstsSource = 0; - bool isStsHost = false; - nsresult rv = - service->IsSecureURI(uri, flags, originAttributes, nullptr, - &hstsSource, &isStsHost); - - // Successfully get the result from |IsSecureURI| implies that - // the storage is ready to read. - storageReady = NS_SUCCEEDED(rv); - bool shouldUpgrade = handleResultFunc(isStsHost, hstsSource); - - NS_DispatchToMainThread(NS_NewRunnableFunction( - "net::NS_ShouldSecureUpgrade::ResultCallback", - [rv, shouldUpgrade, - resultCallback{std::move(resultCallback)}]() { - resultCallback(shouldUpgrade, rv); - })); - }), - NS_DISPATCH_NORMAL); - aWillCallback = NS_SUCCEEDED(rv); - return rv; - } - - nsresult rv = sss->IsSecureURI(aURI, flags, aOriginAttributes, nullptr, - &hstsSource, &isStsHost); + nsresult rv = sss->IsSecureURI(aURI, flags, aOriginAttributes, nullptr, + &hstsSource, &isStsHost); - // if the SSS check fails, it's likely because this load is on a - // malformed URI or something else in the setup is wrong, so any error - // should be reported. - NS_ENSURE_SUCCESS(rv, rv); + // if the SSS check fails, it's likely because this load is on a + // malformed URI or something else in the setup is wrong, so any error + // should be reported. + NS_ENSURE_SUCCESS(rv, rv); - aShouldUpgrade = handleResultFunc(isStsHost, hstsSource); - return NS_OK; + aShouldUpgrade = handleResultFunc(aAllowSTS, isStsHost, hstsSource); + if (!aShouldUpgrade) { + // Check for CSP upgrade-insecure-requests, Mixed content auto upgrading + // and Https-Only / -First. + aShouldUpgrade = ShouldSecureUpgradeNoHSTS(aURI, aLoadInfo); } - - Telemetry::AccumulateCategorical( - Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::AlreadyHTTPS); - aShouldUpgrade = false; - return NS_OK; + return rv; } nsresult NS_GetSecureUpgradedURI(nsIURI* aURI, nsIURI** aUpgradedURI) { -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit 6886d4968b8914fae9ab5e4d1ade3b55492dbd66 Author: Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com> AuthorDate: Mon Nov 29 14:29:01 2021 +0000 Bug 1724080: Have https-first and https-only rules apply to speculative connections r=kershaw Differential Revision: https://phabricator.services.mozilla.com/D132239 --- .../en-US/chrome/security/security.properties | 6 ++ dom/security/nsHTTPSOnlyUtils.cpp | 24 +++++--- dom/security/test/https-first/browser.ini | 2 + .../browser_httpsfirst_speculative_connect.js | 69 ++++++++++++++++++++++ .../https-first/browser_mixed_content_console.js | 2 +- .../file_httpsfirst_speculative_connect.html | 1 + dom/security/test/https-only/browser.ini | 2 + .../browser_httpsonly_speculative_connect.js | 69 ++++++++++++++++++++++ .../file_httpsonly_speculative_connect.html | 1 + netwerk/base/nsIOService.cpp | 22 +++++++ 10 files changed, 188 insertions(+), 10 deletions(-) diff --git a/dom/locales/en-US/chrome/security/security.properties b/dom/locales/en-US/chrome/security/security.properties index d0044ce16d3a0..b1d0d005d1008 100644 --- a/dom/locales/en-US/chrome/security/security.properties +++ b/dom/locales/en-US/chrome/security/security.properties @@ -140,6 +140,12 @@ HTTPSOnlyNoUpgradeException = Not upgrading insecure request “%1$S” because HTTPSOnlyFailedRequest = Upgrading insecure request “%1$S” failed. (%2$S) # LOCALIZATION NOTE: %S is the URL of the failed request; HTTPSOnlyFailedDowngradeAgain = Upgrading insecure request “%S” failed. Downgrading to “http” again. +# LOCALIZATION NOTE: Hints or indicates a new transaction for a URL is likely coming soon. We use +# a speculative connection to start a TCP connection so that the resource is immediately ready +# when the transaction is actually submitted. HTTPS-Only and HTTPS-First will upgrade such +# speculative TCP connections from http to https. +# %1$S is the URL of the upgraded speculative TCP connection; %2$S is the upgraded scheme. +HTTPSOnlyUpgradeSpeculativeConnection = Upgrading insecure speculative TCP connection “%1$S” to use “%2$S”. # LOCALIZATION NOTE: %S is the URL of the blocked request; IframeSandboxBlockedDownload = Download of “%S” was blocked because the triggering iframe has the sandbox flag set. diff --git a/dom/security/nsHTTPSOnlyUtils.cpp b/dom/security/nsHTTPSOnlyUtils.cpp index 1494c3894ab77..bac0fa1a7068f 100644 --- a/dom/security/nsHTTPSOnlyUtils.cpp +++ b/dom/security/nsHTTPSOnlyUtils.cpp @@ -179,10 +179,13 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeRequest(nsIURI* aURI, NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); NS_ConvertUTF8toUTF16 reportScheme(scheme); + bool isSpeculative = aLoadInfo->GetExternalContentPolicyType() == + ExtContentPolicy::TYPE_SPECULATIVE; AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; - nsHTTPSOnlyUtils::LogLocalizedString("HTTPSOnlyUpgradeRequest", params, - nsIScriptError::warningFlag, aLoadInfo, - aURI); + nsHTTPSOnlyUtils::LogLocalizedString( + isSpeculative ? "HTTPSOnlyUpgradeSpeculativeConnection" + : "HTTPSOnlyUpgradeRequest", + params, nsIScriptError::warningFlag, aLoadInfo, aURI); // If the status was not determined before, we now indicate that the request // will get upgraded, but no event-listener has been registered yet. @@ -339,9 +342,10 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI, return false; } - // 2. HTTPS-First only upgrades top-level loads - if (aLoadInfo->GetExternalContentPolicyType() != - ExtContentPolicy::TYPE_DOCUMENT) { + // 2. HTTPS-First only upgrades top-level loads (and speculative connections) + ExtContentPolicyType contentType = aLoadInfo->GetExternalContentPolicyType(); + if (contentType != ExtContentPolicy::TYPE_DOCUMENT && + contentType != ExtContentPolicy::TYPE_SPECULATIVE) { return false; } @@ -399,10 +403,12 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI, NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); NS_ConvertUTF8toUTF16 reportScheme(scheme); + bool isSpeculative = contentType == ExtContentPolicy::TYPE_SPECULATIVE; AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; - nsHTTPSOnlyUtils::LogLocalizedString("HTTPSOnlyUpgradeRequest", params, - nsIScriptError::warningFlag, aLoadInfo, - aURI, true); + nsHTTPSOnlyUtils::LogLocalizedString( + isSpeculative ? "HTTPSOnlyUpgradeSpeculativeConnection" + : "HTTPSOnlyUpgradeRequest", + params, nsIScriptError::warningFlag, aLoadInfo, aURI, true); // Set flag so we know that we upgraded the request httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST; diff --git a/dom/security/test/https-first/browser.ini b/dom/security/test/https-first/browser.ini index 3a6483d6f3952..436ee2d0c5df8 100644 --- a/dom/security/test/https-first/browser.ini +++ b/dom/security/test/https-first/browser.ini @@ -8,3 +8,5 @@ support-files = file_mixed_content_console.html [browser_downgrade_view_source.js] support-files = file_downgrade_view_source.sjs +[browser_httpsfirst_speculative_connect.js] +support-files = file_httpsfirst_speculative_connect.html diff --git a/dom/security/test/https-first/browser_httpsfirst_speculative_connect.js b/dom/security/test/https-first/browser_httpsfirst_speculative_connect.js new file mode 100644 index 0000000000000..0d5f6c7e33260 --- /dev/null +++ b/dom/security/test/https-first/browser_httpsfirst_speculative_connect.js @@ -0,0 +1,69 @@ +"use strict"; + +const TEST_PATH_HTTP = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" +); + +let console_messages = [ + { + description: "Speculative Connection should get logged", + expectLogLevel: Ci.nsIConsoleMessage.warn, + expectIncludes: [ + "Upgrading insecure speculative TCP connection", + "to use", + "example.com", + "file_httpsfirst_speculative_connect.html", + ], + }, + { + description: "Upgrade should get logged", + expectLogLevel: Ci.nsIConsoleMessage.warn, + expectIncludes: [ + "Upgrading insecure request", + "to use", + "example.com", + "file_httpsfirst_speculative_connect.html", + ], + }, +]; + +function on_new_console_messages(msgObj) { + const message = msgObj.message; + const logLevel = msgObj.logLevel; + + if (message.includes("HTTPS-First Mode:")) { + for (let i = 0; i < console_messages.length; i++) { + const testCase = console_messages[i]; + // Check if log-level matches + if (logLevel !== testCase.expectLogLevel) { + continue; + } + // Check if all substrings are included + if (testCase.expectIncludes.some(str => !message.includes(str))) { + continue; + } + ok(true, testCase.description); + console_messages.splice(i, 1); + break; + } + } +} + +add_task(async function() { + requestLongerTimeout(4); + + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.https_first", true]], + }); + Services.console.registerListener(on_new_console_messages); + + await BrowserTestUtils.loadURI( + gBrowser.selectedBrowser, + `${TEST_PATH_HTTP}file_httpsfirst_speculative_connect.html` + ); + + await BrowserTestUtils.waitForCondition(() => console_messages.length === 0); + + Services.console.unregisterListener(on_new_console_messages); +}); diff --git a/dom/security/test/https-first/browser_mixed_content_console.js b/dom/security/test/https-first/browser_mixed_content_console.js index 057614ca208b8..d4e0067f8c49a 100644 --- a/dom/security/test/https-first/browser_mixed_content_console.js +++ b/dom/security/test/https-first/browser_mixed_content_console.js @@ -34,7 +34,7 @@ function on_console_message(msgObj) { // The first console message is: // "HTTPS-First Mode: Upgrading insecure request // ‘http://example.com/browser/dom/security/test/https-first/file_mixed_content_console.html’ to use ‘https’" - if (message.includes("HTTPS-First Mode:")) { + if (message.includes("HTTPS-First Mode: Upgrading insecure request")) { ok(message.includes("Upgrading insecure request"), "request got upgraded"); ok( message.includes( diff --git a/dom/security/test/https-first/file_httpsfirst_speculative_connect.html b/dom/security/test/https-first/file_httpsfirst_speculative_connect.html new file mode 100644 index 0000000000000..6542884191231 --- /dev/null +++ b/dom/security/test/https-first/file_httpsfirst_speculative_connect.html @@ -0,0 +1 @@ +<html><body>dummy file for speculative https-first upgrade test</body></html> diff --git a/dom/security/test/https-only/browser.ini b/dom/security/test/https-only/browser.ini index 5797ace1adb1d..78d1279e76228 100644 --- a/dom/security/test/https-only/browser.ini +++ b/dom/security/test/https-only/browser.ini @@ -19,3 +19,5 @@ support-files = [browser_hsts_host.js] support-files = hsts_headers.sjs +[browser_httpsonly_speculative_connect.js] +support-files = file_httpsonly_speculative_connect.html diff --git a/dom/security/test/https-only/browser_httpsonly_speculative_connect.js b/dom/security/test/https-only/browser_httpsonly_speculative_connect.js new file mode 100644 index 0000000000000..d07f335b99550 --- /dev/null +++ b/dom/security/test/https-only/browser_httpsonly_speculative_connect.js @@ -0,0 +1,69 @@ +"use strict"; + +const TEST_PATH_HTTP = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.org" +); + +let console_messages = [ + { + description: "Speculative Connection should get logged", + expectLogLevel: Ci.nsIConsoleMessage.warn, + expectIncludes: [ + "Upgrading insecure speculative TCP connection", + "to use", + "example.org", + "file_httpsonly_speculative_connect.html", + ], + }, + { + description: "Upgrade should get logged", + expectLogLevel: Ci.nsIConsoleMessage.warn, + expectIncludes: [ + "Upgrading insecure request", + "to use", + "example.org", + "file_httpsonly_speculative_connect.html", + ], + }, +]; + +function on_new_console_messages(msgObj) { + const message = msgObj.message; + const logLevel = msgObj.logLevel; + + if (message.includes("HTTPS-Only Mode:")) { + for (let i = 0; i < console_messages.length; i++) { + const testCase = console_messages[i]; + // Check if log-level matches + if (logLevel !== testCase.expectLogLevel) { + continue; + } + // Check if all substrings are included + if (testCase.expectIncludes.some(str => !message.includes(str))) { + continue; + } + ok(true, testCase.description); + console_messages.splice(i, 1); + break; + } + } +} + +add_task(async function() { + requestLongerTimeout(4); + + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.https_only_mode", true]], + }); + Services.console.registerListener(on_new_console_messages); + + await BrowserTestUtils.loadURI( + gBrowser.selectedBrowser, + `${TEST_PATH_HTTP}file_httpsonly_speculative_connect.html` + ); + + await BrowserTestUtils.waitForCondition(() => console_messages.length === 0); + + Services.console.unregisterListener(on_new_console_messages); +}); diff --git a/dom/security/test/https-only/file_httpsonly_speculative_connect.html b/dom/security/test/https-only/file_httpsonly_speculative_connect.html new file mode 100644 index 0000000000000..46a10401f9530 --- /dev/null +++ b/dom/security/test/https-only/file_httpsonly_speculative_connect.html @@ -0,0 +1 @@ +<html><body>dummy file for speculative https-only upgrade test</body></html> diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp index 1d99b354c3642..459d51485f672 100644 --- a/netwerk/base/nsIOService.cpp +++ b/netwerk/base/nsIOService.cpp @@ -47,6 +47,7 @@ #include "mozilla/net/NeckoParent.h" #include "mozilla/dom/ClientInfo.h" #include "mozilla/dom/ContentParent.h" +#include "mozilla/dom/nsHTTPSOnlyUtils.h" #include "mozilla/dom/ServiceWorkerDescriptor.h" #include "mozilla/net/CaptivePortalService.h" #include "mozilla/net/NetworkConnectivityService.h" @@ -1950,6 +1951,27 @@ nsresult nsIOService::SpeculativeConnectInternal( return NS_ERROR_INVALID_ARG; } + // XXX Bug 1724080: Avoid TCP connections on port 80 when https-only + // or https-first is enabled. Let's create a dummy loadinfo which we + // only use to determine whether we need ot upgrade the speculative + // connection from http to https. + nsCOMPtr<nsIURI> httpsURI; + if (aURI->SchemeIs("http")) { + nsCOMPtr<nsILoadInfo> httpsOnlyCheckLoadInfo = + new LoadInfo(loadingPrincipal, loadingPrincipal, nullptr, + nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, + nsIContentPolicy::TYPE_SPECULATIVE); + + // Check if https-only, or https-first would upgrade the request + if (nsHTTPSOnlyUtils::ShouldUpgradeRequest(aURI, httpsOnlyCheckLoadInfo) || + nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest( + aURI, httpsOnlyCheckLoadInfo)) { + rv = NS_GetSecureUpgradedURI(aURI, getter_AddRefs(httpsURI)); + NS_ENSURE_SUCCESS(rv, rv); + aURI = httpsURI.get(); + } + } + // dummy channel used to create a TCP connection. // we perform security checks on the *real* channel, responsible // for any network loads. this real channel just checks the TCP -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit b8f5ec1fdc68d1f7a2c99e8b89284e53ce7b015f Author: Pier Angelo Vendrame <pierov@torproject.org> AuthorDate: Mon Aug 1 12:39:29 2022 +0200 fixup! Omnibox: Add DDG, Startpage, Disconnect, Youtube, Twitter; remove Amazon, eBay, bing Bug 41070: Remove all localizaed messages for Google, to make it appear again --- .../google/_locales/region-by/messages.json | 20 -------------------- .../google/_locales/region-kz/messages.json | 20 -------------------- .../google/_locales/region-ru/messages.json | 20 -------------------- .../google/_locales/region-tr/messages.json | 20 -------------------- 4 files changed, 80 deletions(-) diff --git a/browser/components/search/extensions/google/_locales/region-by/messages.json b/browser/components/search/extensions/google/_locales/region-by/messages.json deleted file mode 100644 index 60e5ed5eda07c..0000000000000 --- a/browser/components/search/extensions/google/_locales/region-by/messages.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "extensionName": { - "message": "Google" - }, - "extensionDescription": { - "message": "Google Search" - }, - "searchUrl": { - "message": "https://www.google.by/search" - }, - "searchForm": { - "message": "https://www.google.by/search?q={searchTerms}" - }, - "suggestUrl": { - "message": "https://www.google.by/complete/search?client=firefox&q={searchTerms}" - }, - "searchUrlGetParams": { - "message": "q={searchTerms}" - } -} diff --git a/browser/components/search/extensions/google/_locales/region-kz/messages.json b/browser/components/search/extensions/google/_locales/region-kz/messages.json deleted file mode 100644 index 8e64096bc1145..0000000000000 --- a/browser/components/search/extensions/google/_locales/region-kz/messages.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "extensionName": { - "message": "Google" - }, - "extensionDescription": { - "message": "Google Search" - }, - "searchUrl": { - "message": "https://www.google.kz/search" - }, - "searchForm": { - "message": "https://www.google.kz/search?q={searchTerms}" - }, - "suggestUrl": { - "message": "https://www.google.kz/complete/search?client=firefox&q={searchTerms}" - }, - "searchUrlGetParams": { - "message": "q={searchTerms}" - } -} diff --git a/browser/components/search/extensions/google/_locales/region-ru/messages.json b/browser/components/search/extensions/google/_locales/region-ru/messages.json deleted file mode 100644 index 8a78bb4e7f871..0000000000000 --- a/browser/components/search/extensions/google/_locales/region-ru/messages.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "extensionName": { - "message": "Google" - }, - "extensionDescription": { - "message": "Google Search" - }, - "searchUrl": { - "message": "https://www.google.ru/search" - }, - "searchForm": { - "message": "https://www.google.ru/search?q={searchTerms}" - }, - "suggestUrl": { - "message": "https://www.google.ru/complete/search?client=firefox&q={searchTerms}" - }, - "searchUrlGetParams": { - "message": "q={searchTerms}" - } -} diff --git a/browser/components/search/extensions/google/_locales/region-tr/messages.json b/browser/components/search/extensions/google/_locales/region-tr/messages.json deleted file mode 100644 index 8e373a4833b99..0000000000000 --- a/browser/components/search/extensions/google/_locales/region-tr/messages.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "extensionName": { - "message": "Google" - }, - "extensionDescription": { - "message": "Google Search" - }, - "searchUrl": { - "message": "https://www.google.com.tr/search" - }, - "searchForm": { - "message": "https://www.google.com.tr/search?q={searchTerms}" - }, - "suggestUrl": { - "message": "https://www.google.com.tr/complete/search?client=firefox&q={searchTerms}" - }, - "searchUrlGetParams": { - "message": "q={searchTerms}" - } -} -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit 0db9a71fed2796913dac1ffc0477612c35e2920a Author: Richard Pospesel <richard@torproject.org> AuthorDate: Mon Aug 1 17:56:45 2022 +0000 Bug 41089: Add tor-browser build scripts + Makefile to tor-browser --- tools/torbrowser/Makefile | 35 +++++++++++++++++++++ tools/torbrowser/bridges.js | 77 +++++++++++++++++++++++++++++++++++++++++++++ tools/torbrowser/build.sh | 7 +++++ tools/torbrowser/clobber.sh | 6 ++++ tools/torbrowser/config.sh | 6 ++++ tools/torbrowser/deploy.sh | 23 ++++++++++++++ tools/torbrowser/fetch.sh | 30 ++++++++++++++++++ tools/torbrowser/jslint.sh | 8 +++++ 8 files changed, 192 insertions(+) diff --git a/tools/torbrowser/Makefile b/tools/torbrowser/Makefile new file mode 100644 index 0000000000000..c335db77ae666 --- /dev/null +++ b/tools/torbrowser/Makefile @@ -0,0 +1,35 @@ +.DEFAULT_GOAL := all + +# https://stackoverflow.com/questions/18136918/how-to-get-current-relative-dir... +mkfile_path := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) + +DEV_ROOT = $(mkfile_path)/../.. +BINARIES = $(DEV_ROOT)/.binaries +BUILD_OUTPUT = $(DEV_ROOT)/obj-x86_64-pc-linux-gnu + +config: + ./config.sh $(DEV_ROOT) + +fetch: + ./fetch.sh $(BINARIES) + +build: + ./build.sh $(DEV_ROOT) + +deploy: + ./deploy.sh $(BINARIES) $(BUILD_OUTPUT) + +all: build deploy + +run: + $(BINARIES)/dev/Browser/start-tor-browser -v + +jslint: + ./jslint.sh $(DEV_ROOT) $(JS) + +clobber: + ./clobber.sh $(DEV_ROOT) + +clean: + rm -rf $(BUILD_OUTPUT) + diff --git a/tools/torbrowser/bridges.js b/tools/torbrowser/bridges.js new file mode 100644 index 0000000000000..e8f11a36c401d --- /dev/null +++ b/tools/torbrowser/bridges.js @@ -0,0 +1,77 @@ +pref("extensions.torlauncher.default_bridge_recommended_type", "obfs4"); + +// Default bridges. +pref( + "extensions.torlauncher.default_bridge.obfs4.1", + "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.2", + "obfs4 38.229.1.78:80 C8CBDB2464FC9804A69531437BCF2BE31FDD2EE4 cert=Hmyfd2ev46gGY7NoVxA9ngrPF2zCZtzskRTzoWXbxNkzeVnGFPWmrTtILRyqCTjHR+s9dg iat-mode=1" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.3", + "obfs4 38.229.33.83:80 0BAC39417268B96B9F514E7F63FA6FBA1A788955 cert=VwEFpk9F/UN9JED7XpG1XOjm/O8ZCXK80oPecgWnNDZDv5pdkhq1OpbAH0wNqOT6H6BmRQ iat-mode=1" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.4", + "obfs4 37.218.245.14:38224 D9A82D2F9C2F65A18407B1D2B764F130847F8B5D cert=bjRaMrr1BRiAW8IE9U5z27fQaYgOhX1UCmOpg2pFpoMvo6ZgQMzLsaTzzQNTlm7hNcb+Sg iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.5", + "obfs4 85.31.186.98:443 011F2599C0E9B27EE74B353155E244813763C3E5 cert=ayq0XzCwhpdysn5o0EyDUbmSOx3X/oTEbzDMvczHOdBJKlvIdHHLJGkZARtT4dcBFArPPg iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.6", + "obfs4 85.31.186.26:443 91A6354697E6B02A386312F68D82CF86824D3606 cert=PBwr+S8JTVZo6MPdHnkTwXJPILWADLqfMGoVvhZClMq/Urndyd42BwX9YFJHZnBB3H0XCw iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.7", + "obfs4 144.217.20.138:80 FB70B257C162BF1038CA669D568D76F5B7F0BABB cert=vYIV5MgrghGQvZPIi1tJwnzorMgqgmlKaB77Y3Z9Q/v94wZBOAXkW+fdx4aSxLVnKO+xNw iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.8", + "obfs4 193.11.166.194:27015 2D82C2E354D531A68469ADF7F878FA6060C6BACA cert=4TLQPJrTSaDffMK7Nbao6LC7G9OW/NHkUwIdjLSS3KYf0Nv4/nQiiI8dY2TcsQx01NniOg iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.9", + "obfs4 193.11.166.194:27020 86AC7B8D430DAC4117E9F42C9EAED18133863AAF cert=0LDeJH4JzMDtkJJrFphJCiPqKx7loozKN7VNfuukMGfHO0Z8OGdzHVkhVAOfo1mUdv9cMg iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.10", + "obfs4 193.11.166.194:27025 1AE2C08904527FEA90C4C4F8C1083EA59FBC6FAF cert=ItvYZzW5tn6v3G4UnQa6Qz04Npro6e81AP70YujmK/KXwDFPTs3aHXcHp4n8Vt6w/bv8cA iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.11", + "obfs4 209.148.46.65:443 74FAD13168806246602538555B5521A0383A1875 cert=ssH+9rP8dG2NLDN2XuFw63hIO/9MNNinLmxQDpVa+7kTOa9/m+tGWT1SmSYpQ9uTBGa6Hw iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.12", + "obfs4 146.57.248.225:22 10A6CD36A537FCE513A322361547444B393989F0 cert=K1gDtDAIcUfeLqbstggjIw2rtgIKqdIhUlHp82XRqNSq/mtAjp1BIC9vHKJ2FAEpGssTPw iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.13", + "obfs4 45.145.95.6:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.14", + "obfs4 [2a0c:4d80:42:702::1]:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.15", + "obfs4 51.222.13.177:80 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0" +); +pref( + "extensions.torlauncher.default_bridge.obfs4.16", + "obfs4 185.100.87.30:443 5B403DFE34F4872EB027059CECAE30B0C864B3A2 cert=bWUdFUe8io9U6JkSLoGAvSAUDcB779/shovCYmYAQb/pW/iEAMZtO/lCd94OokOF909TPA iat-mode=2" +); + +pref( + "extensions.torlauncher.default_bridge.meek-azure.1", + "meek_lite 192.0.2.2:2 97700DFE9F483596DDA6264C4D7DF7641E1E39CE url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com" +); + +pref( + "extensions.torlauncher.default_bridge.snowflake.1", + "snowflake 192.0.2.3:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72" +); diff --git a/tools/torbrowser/build.sh b/tools/torbrowser/build.sh new file mode 100755 index 0000000000000..e53dbc5000bc7 --- /dev/null +++ b/tools/torbrowser/build.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -e +DEV_ROOT=$1 + +cd $DEV_ROOT +./mach build +./mach build stage-package diff --git a/tools/torbrowser/clobber.sh b/tools/torbrowser/clobber.sh new file mode 100755 index 0000000000000..5073454b23c10 --- /dev/null +++ b/tools/torbrowser/clobber.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +DEV_ROOT=$1 + +cd $DEV_ROOT +./mach clobber diff --git a/tools/torbrowser/config.sh b/tools/torbrowser/config.sh new file mode 100755 index 0000000000000..d353119613792 --- /dev/null +++ b/tools/torbrowser/config.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +DEV_ROOT=$1 + +cd $DEV_ROOT +./mach configure diff --git a/tools/torbrowser/deploy.sh b/tools/torbrowser/deploy.sh new file mode 100755 index 0000000000000..9f2ebd58cbe3a --- /dev/null +++ b/tools/torbrowser/deploy.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -e +BINARIES=$1 +BUILD_OUTPUT=$2 + +SCRIPT_DIR=$(realpath "$(dirname "$0")") + +# Add built-in bridges +mkdir -p $BUILD_OUTPUT/_omni/defaults/preferences +cat $BUILD_OUTPUT/dist/bin/browser/defaults/preferences/000-tor-browser.js $SCRIPT_DIR/bridges.js >> $BUILD_OUTPUT/_omni/defaults/preferences/000-tor-browser.js +cd $BUILD_OUTPUT/_omni && zip -Xmr $BUILD_OUTPUT/dist/firefox/browser/omni.ja defaults/preferences/000-tor-browser.js +rm -rf $BUILD_OUTPUT/_omni + +# Repackage the manual +# rm -rf $BUILD_OUTPUT/_omni +# mkdir $BUILD_OUTPUT/_omni +# unzip $BINARIES/dev/Browser/browser/omni.ja -d $BUILD_OUTPUT/_omni +# cd $BUILD_OUTPUT/_omni && zip -Xmr $BUILD_OUTPUT/dist/firefox/browser/omni.ja chrome/browser/content/browser/manual +# rm -rf $BUILD_OUTPUT/_omni + +# copy binaries +cp -r $BUILD_OUTPUT/dist/firefox/* $BINARIES/dev/Browser +rm -rf $BINARIES/dev/Browser/TorBrowser/Data/Browser/profile.default/startupCache diff --git a/tools/torbrowser/fetch.sh b/tools/torbrowser/fetch.sh new file mode 100755 index 0000000000000..5b5c627c0c343 --- /dev/null +++ b/tools/torbrowser/fetch.sh @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +BINARIES_DIR=$1 + +# download the current downloads.json +wget https://aus1.torproject.org/torbrowser/update_3/alpha/downloads.json +# get url for latest alpha linux en_US package +TOR_BROWSER_VERSION=$(grep -Eo "\"version\":\"[0-9.a]+\"" downloads.json | grep -Eo "[0-9.a]+") +TOR_BROWSER_PACKAGE="tor-browser-linux64-${TOR_BROWSER_VERSION}_en-US.tar.xz" +TOR_BROWSER_PACKAGE_URL="https://dist.torproject.org/torbrowser/${TOR_BROWSER_VERSION}/${TOR_BROWSER_PACKAGE}" + +# remove download manifest +rm downloads.json + +# clear out previous tor-browser and previous package +rm -rf "${BINARIES_DIR}/dev" +rm -f "${TOR_BROWSER_PACKAGE}" + +# download +rm -f "${TOR_BROWSER_PACKAGE}" +wget "${TOR_BROWSER_PACKAGE_URL}" +mkdir -p "${BINARIES_DIR}" + +# and extract +tar -xf ${TOR_BROWSER_PACKAGE} -C "${BINARIES_DIR}" +mv "${BINARIES_DIR}/tor-browser_en-US" "${BINARIES_DIR}/dev" + +# cleanup +rm -f "${TOR_BROWSER_PACKAGE}" diff --git a/tools/torbrowser/jslint.sh b/tools/torbrowser/jslint.sh new file mode 100755 index 0000000000000..ee45afdbcab7a --- /dev/null +++ b/tools/torbrowser/jslint.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +DEV_ROOT=$1 +JS_FILE=$2 + +export MACH_USE_SYSTEM_PYTHON=1 +cd $DEV_ROOT +./mach lint -l eslint --fix $JS_FILE -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit f1d4307fb949d9cb77c4a2d9d670a89504ea18d9 Author: Dan Ballard <dan@mindstab.net> AuthorDate: Tue Aug 9 08:08:04 2022 -0700 fixup! Bug 41089: Add tor-browser build scripts + Makefile to tor-browser --- .gitignore | 3 +++ tools/torbrowser/Makefile | 9 +++++++++ tools/torbrowser/ide.sh | 8 ++++++++ 3 files changed, 20 insertions(+) diff --git a/.gitignore b/.gitignore index ffd0f9faf1458..117d6cbbf9d54 100644 --- a/.gitignore +++ b/.gitignore @@ -168,3 +168,6 @@ testing/raptor/.raptor-venv testing/raptor/raptor-venv testing/raptor/raptor/tests/json/ testing/raptor/webext/raptor/auto_gen_test_config.js + +# Ignore binary base of tor browser +.binaries diff --git a/tools/torbrowser/Makefile b/tools/torbrowser/Makefile index c335db77ae666..92650151560ec 100644 --- a/tools/torbrowser/Makefile +++ b/tools/torbrowser/Makefile @@ -10,6 +10,15 @@ BUILD_OUTPUT = $(DEV_ROOT)/obj-x86_64-pc-linux-gnu config: ./config.sh $(DEV_ROOT) +ide-vscode: + ./ide.sh vscode $(DEV_ROOT) + +ide-eclipse: + ./ide.sh eclipse $(DEV_ROOT) + +ide-visualstudio: + ./ide.sh visualstudio $(DEV_ROOT) + fetch: ./fetch.sh $(BINARIES) diff --git a/tools/torbrowser/ide.sh b/tools/torbrowser/ide.sh new file mode 100755 index 0000000000000..73bbdd3461c6c --- /dev/null +++ b/tools/torbrowser/ide.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +IDE=$1 +DEV_ROOT=$2 + +export MACH_USE_SYSTEM_PYTHON=1 +cd $DEV_ROOT +./mach ide $IDE -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit 25dea5a6c3e74c42e9444335ff2dcef11896b73a Author: Richard Pospesel <richard@torproject.org> AuthorDate: Thu Aug 4 13:36:56 2022 +0000 fixup! Bug 26961: New user onboarding. Bug 41095: Learn more link in onboarding slideshow still points to 11.0 release post --- browser/extensions/onboarding/content/Onboarding.jsm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browser/extensions/onboarding/content/Onboarding.jsm b/browser/extensions/onboarding/content/Onboarding.jsm index 38c78f724b3b0..3a47f366df49f 100644 --- a/browser/extensions/onboarding/content/Onboarding.jsm +++ b/browser/extensions/onboarding/content/Onboarding.jsm @@ -909,7 +909,7 @@ class Onboarding { } const kOnionURL = "https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/"; // DuckDuckGo - const kLearnMore = "https://www.torproject.org/releases/tor-browser-11-0/"; + const kLearnMore = "https://www.torproject.org/releases/tor-browser-11-5/"; let handledTourActionClick = false; switch (id) { case "onboarding-overlay-button-icon": -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser. commit a4c279e9f8e5e1ce82c32d4973622b1911f83a2a Author: Dan Ballard <dan@mindstab.net> AuthorDate: Tue Aug 23 15:36:44 2022 +0000 fixup! Bug 23247: Communicating security expectations for .onion Bug 41075: The Tor Browser is showing caution sign but your document said it won't --- browser/base/content/browser-siteIdentity.js | 6 ++++-- security/certverifier/CertVerifier.cpp | 22 ++++++++++++++++++---- security/manager/ssl/SSLServerCertVerification.cpp | 15 +++++++++++++-- security/manager/ssl/nsNSSIOLayer.cpp | 13 ++++++++++--- security/nss/lib/mozpkix/include/pkix/Result.h | 2 ++ security/nss/lib/mozpkix/include/pkix/pkixnss.h | 1 + 6 files changed, 48 insertions(+), 11 deletions(-) diff --git a/browser/base/content/browser-siteIdentity.js b/browser/base/content/browser-siteIdentity.js index b7d59db3dd34d..e45b65ddac158 100644 --- a/browser/base/content/browser-siteIdentity.js +++ b/browser/base/content/browser-siteIdentity.js @@ -767,8 +767,10 @@ var gIdentityHandler = { issuerCert = this._secInfo.succeededCertChain[ this._secInfo.succeededCertChain.length - 1 ]; - - return !issuerCert.isBuiltInRoot; + if (issuerCert) { + return !issuerCert.isBuiltInRoot; + } + return false; }, /** diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index c427539bd67ea..e513eddb31e0c 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -918,6 +918,8 @@ Result CertVerifier::VerifySSLServerCert( return Result::ERROR_BAD_CERT_DOMAIN; } + bool errOnionWithSelfSignedCert = false; + // CreateCertErrorRunnable assumes that CheckCertHostname is only called // if VerifyCert succeeded. Result rv = @@ -931,9 +933,16 @@ Result CertVerifier::VerifySSLServerCert( CertIsSelfSigned(peerCert, pinarg)) { // In this case we didn't find any issuer for the certificate and the // certificate is self-signed. - return Result::ERROR_SELF_SIGNED_CERT; + if (StringEndsWith(hostname, ".onion"_ns)) { + // Self signed cert over onion is deemed secure, the hidden service provides authentication. + // We defer returning this error and keep processing to determine if there are other legitimate + // certificate errors (such as expired, wrong domain) that we would like to surface to the user + errOnionWithSelfSignedCert = true; + } else { + return Result::ERROR_SELF_SIGNED_CERT; + } } - if (rv == Result::ERROR_UNKNOWN_ISSUER) { + if (rv == Result::ERROR_UNKNOWN_ISSUER && !errOnionWithSelfSignedCert) { // In this case we didn't get any valid path for the cert. Let's see if // the issuer is the same as the issuer for our canary probe. If yes, this // connection is connecting via a misconfigured proxy. @@ -951,7 +960,9 @@ Result CertVerifier::VerifySSLServerCert( return Result::ERROR_MITM_DETECTED; } } - return rv; + if (!errOnionWithSelfSignedCert) { + return rv; + } } if (dcInfo) { @@ -995,7 +1006,7 @@ Result CertVerifier::VerifySSLServerCert( } bool isBuiltInRoot; rv = IsCertChainRootBuiltInRoot(builtChain, isBuiltInRoot); - if (rv != Success) { + if (rv != Success && !errOnionWithSelfSignedCert) { return rv; } @@ -1016,6 +1027,9 @@ Result CertVerifier::VerifySSLServerCert( return rv; } + if (errOnionWithSelfSignedCert) { + return Result::ERROR_ONION_WITH_SELF_SIGNED_CERT; + } return Success; } diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index 0a84aecc6c724..a0c14be276dd6 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -299,6 +299,7 @@ SECStatus DetermineCertOverrideErrors(const UniqueCERTCertificate& cert, case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED: case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE: case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT: + case mozilla::pkix::MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT: case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: { collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED; errorCodeTrust = defaultErrorCodeToReport; @@ -984,6 +985,17 @@ PRErrorCode AuthCertificateParseResults( gPIPNSSLog, LogLevel::Debug, ("[0x%" PRIx64 "] Certificate error was not overridden\n", aPtrForLog)); + // If Onion with self signed cert we want to prioritize any other error + if (errorCodeTrust == MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT) { + if (errorCodeMismatch) { + return errorCodeMismatch; + } else if (errorCodeTime) { + return errorCodeTime; + } else { + return MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT; + } + } + // pick the error code to report by priority return errorCodeTrust ? errorCodeTrust : errorCodeMismatch ? errorCodeMismatch @@ -1389,8 +1401,7 @@ SSLServerCertVerificationResult::Run() { std::move(mPeerCertChain), mCertificateTransparencyStatus, mEVStatus, mSucceeded, mIsBuiltCertChainRootBuiltInRoot); - - if (!mSucceeded && mCollectedErrors != 0) { + if (!mSucceeded && mCollectedErrors != 0 && mFinalError != MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT) { mInfoObject->SetStatusErrorBits(mCert, mCollectedErrors); } mInfoObject->SetCertVerificationResult(mFinalError); diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 21687447072d4..10d74b9eb3eb4 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -411,7 +411,11 @@ void nsNSSSocketInfo::SetCertVerificationResult(PRErrorCode errorCode) { "Invalid state transition to cert_verification_finished"); if (mFd) { - SECStatus rv = SSL_AuthCertificateComplete(mFd, errorCode); + PRErrorCode passCode = errorCode; + if (errorCode == MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT) { + passCode = 0; + } + SECStatus rv = SSL_AuthCertificateComplete(mFd, passCode); // Only replace errorCode if there was originally no error if (rv != SECSuccess && errorCode == 0) { errorCode = PR_GetError(); @@ -422,12 +426,15 @@ void nsNSSSocketInfo::SetCertVerificationResult(PRErrorCode errorCode) { } } - if (errorCode) { + if (errorCode && + errorCode != MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT) { mFailedVerification = true; SetCanceled(errorCode); } - if (mPlaintextBytesRead && !errorCode) { + if (mPlaintextBytesRead && + (!errorCode || + errorCode == MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT)) { Telemetry::Accumulate(Telemetry::SSL_BYTES_BEFORE_CERT_CALLBACK, AssertedCast<uint32_t>(mPlaintextBytesRead)); } diff --git a/security/nss/lib/mozpkix/include/pkix/Result.h b/security/nss/lib/mozpkix/include/pkix/Result.h index 29461dc1a510b..b2ad3a383ceb3 100644 --- a/security/nss/lib/mozpkix/include/pkix/Result.h +++ b/security/nss/lib/mozpkix/include/pkix/Result.h @@ -188,6 +188,8 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800; SEC_ERROR_LIBRARY_FAILURE) \ MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4, \ SEC_ERROR_NO_MEMORY) \ + MOZILLA_PKIX_MAP(ERROR_ONION_WITH_SELF_SIGNED_CERT, 155, \ + MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT) \ /* nothing here */ enum class Result { diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h index b181ca541e01c..16513a5dfb0b1 100644 --- a/security/nss/lib/mozpkix/include/pkix/pkixnss.h +++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h @@ -88,6 +88,7 @@ enum ErrorCode { MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = ERROR_BASE + 13, MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = ERROR_BASE + 14, MOZILLA_PKIX_ERROR_MITM_DETECTED = ERROR_BASE + 15, + MOZILLA_PKIX_ERROR_ONION_WITH_SELF_SIGNED_CERT = ERROR_BASE + 100, END_OF_LIST }; -- To stop receiving notification emails like this one, please contact the administrator of this repository.
participants (1)
-
gitolite role