Changeset 249684 in webkit

Timestamp:

Sep 9, 2019, 6:39:18 PM (6 years ago)

Author:

achristensen@apple.com

Message:

Disable TLS 1.0 and 1.1 in WebSockets
​https://bugs.webkit.org/show_bug.cgi?id=201573

Reviewed by Youenn Fablet.

Source/WebCore:

This expands on what I started in r249019 when I disabled legacy TLS for our use of NSURLSession.
Since our WebSocket implementation uses a different network interface, disable legacy TLS for them, too.
I use the same temporary default to re-enable legacy TLS. I also add a unit test for both WebSockets and NSURLSession use.

• platform/network/cf/SocketStreamHandleImpl.h:
• platform/network/cf/SocketStreamHandleImplCFNet.cpp:

(WebCore::Function<bool):
(WebCore::SocketStreamHandleImpl::setLegacyTLSEnabledCheck):
(WebCore::SocketStreamHandleImpl::createStreams):

Source/WebCore/PAL:

• pal/spi/cf/CFNetworkSPI.h:

Source/WebKit:

• NetworkProcess/NetworkProcessCreationParameters.cpp:

(WebKit::NetworkProcessCreationParameters::encode const):
(WebKit::NetworkProcessCreationParameters::decode):

• NetworkProcess/NetworkProcessCreationParameters.h:
• NetworkProcess/cocoa/NetworkProcessCocoa.mm:

(WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):

• UIProcess/API/Cocoa/WKProcessPool.mm:

(-[WKProcessPool _allowAnyTLSCertificateForWebSocketTesting]):

• UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
• UIProcess/Cocoa/WebProcessPoolCocoa.mm:

(WebKit::WebProcessPool::platformInitializeNetworkProcess):

Source/WebKitLegacy/mac:

• WebView/WebView.mm:

(-[WebView _commonInitializationWithFrameName:groupName:]):

Tools:

• TestWebKitAPI/SourcesCocoa.txt:
• TestWebKitAPI/TCPServer.cpp:

(sk_CRYPTO_BUFFER_num):
(sk_CRYPTO_BUFFER_value):
(TestWebKitAPI::deleter<CRYPTO_BUFFER>::operator()):
(TestWebKitAPI::TCPServer::TCPServer):
(TestWebKitAPI::TCPServer::listenForConnections):
(TestWebKitAPI::deleter<X509>::operator()): Deleted.
(TestWebKitAPI::deleter<uint8_t::operator()): Deleted.

• TestWebKitAPI/TCPServer.h:
• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm: Added.

(-[WebSocketDelegate waitForMessage]):
(-[WebSocketDelegate webView:runJavaScriptAlertPanelWithMessage:initiatedByFrame:completionHandler:]):
(TestWebKitAPI::TEST):

• TestWebKitAPI/cocoa/TestNavigationDelegate.h:
• TestWebKitAPI/cocoa/TestNavigationDelegate.mm:

(-[TestNavigationDelegate webView:didReceiveAuthenticationChallenge:completionHandler:]):
(-[TestNavigationDelegate waitForDidFailProvisionalNavigation]):

Location:

trunk

Files:

• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/PAL/ChangeLog (modified) (1 diff)
• Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h (modified) (2 diffs)
• Source/WebCore/platform/network/cf/SocketStreamHandleImpl.h (modified) (1 diff)
• Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp (modified) (3 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm (modified) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h (modified) (1 diff)
• Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (modified) (1 diff)
• Source/WebKitLegacy/mac/ChangeLog (modified) (1 diff)
• Source/WebKitLegacy/mac/WebView/WebView.mm (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/SourcesCocoa.txt (modified) (1 diff)
• Tools/TestWebKitAPI/TCPServer.cpp (modified) (6 diffs)
• Tools/TestWebKitAPI/TCPServer.h (modified) (2 diffs)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (2 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm (added)
• Tools/TestWebKitAPI/cocoa/TestNavigationDelegate.h (modified) (1 diff)
• Tools/TestWebKitAPI/cocoa/TestNavigationDelegate.mm (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog ¶

@@ +1 @@
+2019-09-09  Alex Christensen  <achristensen@webkit.org>
+
+        Disable TLS 1.0 and 1.1 in WebSockets
+        https://bugs.webkit.org/show_bug.cgi?id=201573
+
+        Reviewed by Youenn Fablet.
+
+        This expands on what I started in r249019 when I disabled legacy TLS for our use of NSURLSession.
+        Since our WebSocket implementation uses a different network interface, disable legacy TLS for them, too.
+        I use the same temporary default to re-enable legacy TLS.  I also add a unit test for both WebSockets and NSURLSession use.
+
+        * platform/network/cf/SocketStreamHandleImpl.h:
+        * platform/network/cf/SocketStreamHandleImplCFNet.cpp:
+        (WebCore::Function<bool):
+        (WebCore::SocketStreamHandleImpl::setLegacyTLSEnabledCheck):
+        (WebCore::SocketStreamHandleImpl::createStreams):
+
 2019-09-09  Saam Barati  <sbarati@apple.com>
 

trunk/Source/WebCore/PAL/ChangeLog ¶

@@ +1 @@
+2019-09-09  Alex Christensen  <achristensen@webkit.org>
+
+        Disable TLS 1.0 and 1.1 in WebSockets
+        https://bugs.webkit.org/show_bug.cgi?id=201573
+
+        Reviewed by Youenn Fablet.
+
+        * pal/spi/cf/CFNetworkSPI.h:
+
 2019-08-30  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h ¶

@@ -56 +56 @@
 WTF_EXTERN_C_END
 
-#endif
+#else // PLATFORM(WIN)
+#include <CFNetwork/CFSocketStreamPriv.h>
+#endif // PLATFORM(WIN)
 
 // FIXME: Remove the defined(__OBJC__)-guard once we fix <rdar://problem/19033610>.
@@ -283 +285 @@
 extern const CFStringRef _kCFURLConnectionPropertyShouldSniff;
 extern const CFStringRef _kCFURLStorageSessionIsPrivate;
+extern const CFStringRef kCFStreamSocketSecurityLevelTLSv1_2;
 
 #if HAVE(CFNETWORK_WITH_CONTENT_ENCODING_SNIFFING_OVERRIDE)

trunk/Source/WebCore/platform/network/cf/SocketStreamHandleImpl.h ¶

@@ -51 +51 @@
 
     virtual ~SocketStreamHandleImpl();
+
+    WEBCORE_EXPORT static void setLegacyTLSEnabled(bool);
 
     WEBCORE_EXPORT void platformSend(const uint8_t* data, size_t length, Function<void(bool)>&&) final;

trunk/Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp ¶

@@ -306 +306 @@
 }
 
+static bool gLegacyTLSEnabled = false;
+
+void SocketStreamHandleImpl::setLegacyTLSEnabled(bool enabled)
+{
+    gLegacyTLSEnabled = enabled;
+}
+
 void SocketStreamHandleImpl::createStreams()
 {
@@ -328 +335 @@
         CFWriteStreamSetProperty(writeStream, kCFStreamPropertySourceApplication, m_auditData.sourceApplicationAuditData.get());
     }
-    
 #endif
 
@@ -356 +362 @@
     if (shouldUseSSL()) {
         CFBooleanRef validateCertificateChain = DeprecatedGlobalSettings::allowsAnySSLCertificate() ? kCFBooleanFalse : kCFBooleanTrue;
-        const void* keys[] = { kCFStreamSSLPeerName, kCFStreamSSLLevel, kCFStreamSSLValidatesCertificateChain };
-        const void* values[] = { host.get(), kCFStreamSocketSecurityLevelNegotiatedSSL, validateCertificateChain };
+        const void* keys[] = {
+            kCFStreamSSLPeerName,
+            kCFStreamSSLLevel,
+            kCFStreamSSLValidatesCertificateChain
+        };
+        const void* values[] = {
+            host.get(),
+#if PLATFORM(COCOA)
+            gLegacyTLSEnabled ? kCFStreamSocketSecurityLevelNegotiatedSSL : kCFStreamSocketSecurityLevelTLSv1_2,
+#else
+            kCFStreamSocketSecurityLevelNegotiatedSSL,
+#endif
+            validateCertificateChain
+        };
         RetainPtr<CFDictionaryRef> settings = adoptCF(CFDictionaryCreate(0, keys, values, WTF_ARRAY_LENGTH(keys), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
         CFReadStreamSetProperty(m_readStream.get(), kCFStreamPropertySSLSettings, settings.get());

trunk/Source/WebKit/ChangeLog ¶

@@ +1 @@
+2019-09-09  Alex Christensen  <achristensen@webkit.org>
+
+        Disable TLS 1.0 and 1.1 in WebSockets
+        https://bugs.webkit.org/show_bug.cgi?id=201573
+
+        Reviewed by Youenn Fablet.
+
+        * NetworkProcess/NetworkProcessCreationParameters.cpp:
+        (WebKit::NetworkProcessCreationParameters::encode const):
+        (WebKit::NetworkProcessCreationParameters::decode):
+        * NetworkProcess/NetworkProcessCreationParameters.h:
+        * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+        (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+        * UIProcess/API/Cocoa/WKProcessPool.mm:
+        (-[WKProcessPool _allowAnyTLSCertificateForWebSocketTesting]):
+        * UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+
 2019-09-09  Tim Horton  <timothy_horton@apple.com>
 

trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp ¶

@@ -94 +94 @@
     encoder << hstsStorageDirectory;
     encoder << hstsStorageDirectoryExtensionHandle;
+    encoder << enableLegacyTLS;
 }
 
@@ -229 +230 @@
         return false;
     
+    if (!decoder.decode(result.enableLegacyTLS))
+        return false;
+
     return true;
 }

trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h ¶

@@ -112 +112 @@
     String hstsStorageDirectory;
     SandboxExtension::Handle hstsStorageDirectoryExtensionHandle;
+    bool enableLegacyTLS { false };
 };
 

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm ¶

@@ -40 +40 @@
 #import <WebCore/SecurityOrigin.h>
 #import <WebCore/SecurityOriginData.h>
+#import <WebCore/SocketStreamHandleImpl.h>
 #import <pal/spi/cf/CFNetworkSPI.h>
 #import <wtf/BlockPtr.h>
@@ -70 +71 @@
 void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters)
 {
+    WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(parameters.enableLegacyTLS);
+
     WebCore::setApplicationBundleIdentifier(parameters.uiProcessBundleIdentifier);
     WebCore::setApplicationSDKVersion(parameters.uiProcessSDKVersion);

trunk/Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm ¶

@@ -648 +648 @@
 }
 
+- (void)_allowAnyTLSCertificateForWebSocketTesting
+{
+    _processPool->setAllowsAnySSLCertificateForWebSocket(true);
+}
+
 @end

trunk/Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h ¶

@@ -124 +124 @@
 - (BOOL)_networkProcessHasEntitlementForTesting:(NSString *)entitlement WK_API_AVAILABLE(macos(10.14.4), ios(12.2));
 - (void)_clearPermanentCredentialsForProtectionSpace:(NSURLProtectionSpace *)protectionSpace WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (void)_allowAnyTLSCertificateForWebSocketTesting WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 
 @property (nonatomic, getter=_isCookieStoragePartitioningEnabled, setter=_setCookieStoragePartitioningEnabled:) BOOL _cookieStoragePartitioningEnabled WK_API_DEPRECATED("Partitioned cookies are no longer supported", macos(10.12.3, 10.14.4), ios(10.3, 12.2));

trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm ¶

@@ -282 +282 @@
     }
 
-    parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = [defaults boolForKey:@"WebKitEnableLegacyTLS"];
+    parameters.enableLegacyTLS = [defaults boolForKey:@"WebKitEnableLegacyTLS"];
+    parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = parameters.enableLegacyTLS;
 
     parameters.networkATSContext = adoptCF(_CFNetworkCopyATSContext());

trunk/Source/WebKitLegacy/mac/ChangeLog ¶

@@ +1 @@
+2019-09-09  Alex Christensen  <achristensen@webkit.org>
+
+        Disable TLS 1.0 and 1.1 in WebSockets
+        https://bugs.webkit.org/show_bug.cgi?id=201573
+
+        Reviewed by Youenn Fablet.
+
+        * WebView/WebView.mm:
+        (-[WebView _commonInitializationWithFrameName:groupName:]):
+
 2019-09-06  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebKitLegacy/mac/WebView/WebView.mm ¶

@@ -206 +206 @@
 #import <WebCore/ShouldTreatAsContinuingLoad.h>
 #import <WebCore/SocketProvider.h>
+#import <WebCore/SocketStreamHandleImpl.h>
 #import <WebCore/StringUtilities.h>
 #import <WebCore/StyleProperties.h>
@@ -1420 +1421 @@
             DeprecatedGlobalSettings::setShouldManageAudioSessionCategory(true);
 #endif
+        
+        if ([[NSUserDefaults standardUserDefaults] boolForKey:@"WebKitEnableLegacyTLS"])
+            SocketStreamHandleImpl::setLegacyTLSEnabled(true);
 
         didOneTimeInitialization = true;

trunk/Tools/ChangeLog ¶

@@ +1 @@
+2019-09-09  Alex Christensen  <achristensen@webkit.org>
+
+        Disable TLS 1.0 and 1.1 in WebSockets
+        https://bugs.webkit.org/show_bug.cgi?id=201573
+
+        Reviewed by Youenn Fablet.
+
+        * TestWebKitAPI/SourcesCocoa.txt:
+        * TestWebKitAPI/TCPServer.cpp:
+        (sk_CRYPTO_BUFFER_num):
+        (sk_CRYPTO_BUFFER_value):
+        (TestWebKitAPI::deleter<CRYPTO_BUFFER>::operator()):
+        (TestWebKitAPI::TCPServer::TCPServer):
+        (TestWebKitAPI::TCPServer::listenForConnections):
+        (TestWebKitAPI::deleter<X509>::operator()): Deleted.
+        (TestWebKitAPI::deleter<uint8_t::operator()): Deleted.
+        * TestWebKitAPI/TCPServer.h:
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm: Added.
+        (-[WebSocketDelegate waitForMessage]):
+        (-[WebSocketDelegate webView:runJavaScriptAlertPanelWithMessage:initiatedByFrame:completionHandler:]):
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/cocoa/TestNavigationDelegate.h:
+        * TestWebKitAPI/cocoa/TestNavigationDelegate.mm:
+        (-[TestNavigationDelegate webView:didReceiveAuthenticationChallenge:completionHandler:]):
+        (-[TestNavigationDelegate waitForDidFailProvisionalNavigation]):
+
 2019-09-09  Fujii Hironori  <Hironori.Fujii@sony.com>
 

trunk/Tools/TestWebKitAPI/SourcesCocoa.txt ¶

@@ -29 +29 @@
 cocoa/TestProtocol.mm
 cocoa/TestWKWebView.mm
+
+Tests/WebKitCocoa/TLSDeprecation.mm

trunk/Tools/TestWebKitAPI/TCPServer.cpp ¶

@@ -34 +34 @@
 
 #if HAVE(SSL)
+
+#define STACK_OF(type) struct stack_st_##type
+
 extern "C" {
 
+enum ssl_verify_result_t {
+    ssl_verify_ok,
+    ssl_verify_invalid,
+    ssl_verify_retry,
+};
+
 struct BIO;
-struct X509;
+struct CRYPTO_BUFFER;
 struct SSL_CTX;
 struct EVP_PKEY;
 struct SSL_METHOD;
-struct X509_STORE_CTX {
-    void* unused;
-    X509* cert;
-};
+struct SSL_PRIVATE_KEY_METHOD;
+struct _STACK;
+struct CRYPTO_BUFFER_POOL;
 struct pem_password_cb;
 int BIO_free(BIO*);
 int SSL_free(SSL*);
-int X509_free(X509*);
 int SSL_CTX_free(SSL_CTX*);
 int EVP_PKEY_free(EVP_PKEY*);
 int SSL_library_init();
-const SSL_METHOD* SSLv23_server_method();
+const SSL_METHOD* TLS_with_buffers_method();
 BIO* BIO_new_mem_buf(const void*, int);
-X509* PEM_read_bio_X509(BIO*, X509**, pem_password_cb*, void*);
 EVP_PKEY* PEM_read_bio_PrivateKey(BIO*, EVP_PKEY**, pem_password_cb*, void*);
 SSL_CTX* SSL_CTX_new(const SSL_METHOD*);
-const SSL_METHOD* SSLv23_server_method();
-int SSL_CTX_use_certificate(SSL_CTX*, X509*);
-int SSL_CTX_use_PrivateKey(SSL_CTX*, EVP_PKEY*);
 SSL* SSL_new(SSL_CTX*);
 int SSL_accept(SSL*);
 int SSL_set_fd(SSL*, int);
-void SSL_CTX_set_verify(SSL_CTX*, int, int (*)(int, X509_STORE_CTX*));
-void SSL_CTX_set_cert_verify_callback(SSL_CTX*, int (*)(X509_STORE_CTX*, void*), void*);
 int SSL_get_error(const SSL*, int);
+void SSL_CTX_set_custom_verify(SSL_CTX*, int mode, enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert));
 int SSL_read(SSL*, void*, int);
 int SSL_write(SSL*, const void*, int);
-int i2d_X509(X509*, unsigned char**);
+const uint8_t* CRYPTO_BUFFER_data(const CRYPTO_BUFFER*);
+size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER*);
 void OPENSSL_free(void*);
+int SSL_CTX_set_chain_and_key(SSL_CTX*, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY*, const SSL_PRIVATE_KEY_METHOD*);
+CRYPTO_BUFFER* CRYPTO_BUFFER_new(const uint8_t*, size_t, CRYPTO_BUFFER_POOL*);
+void CRYPTO_BUFFER_free(CRYPTO_BUFFER*);
+size_t sk_num(const _STACK*);
+void* sk_value(const _STACK*, size_t);
+const STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL*);
+void SSL_CTX_set_max_proto_version(SSL_CTX*, uint16_t);
 #define SSL_VERIFY_PEER 0x01
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
 
 } // extern "C"
+
+inline size_t sk_CRYPTO_BUFFER_num(const STACK_OF(CRYPTO_BUFFER) *sk) { return sk_num((const _STACK *)sk); }
+inline CRYPTO_BUFFER* sk_CRYPTO_BUFFER_value(const STACK_OF(CRYPTO_BUFFER) *sk, size_t i) { return (CRYPTO_BUFFER *)sk_value((const _STACK *)sk, i); }
 #endif // HAVE(SSL)
 
@@ -92 +105 @@
     }
 };
-template<> struct deleter<X509> {
-    void operator()(X509* x509)
-    {
-        X509_free(x509);
-    }
-};
 template<> struct deleter<SSL_CTX> {
     void operator()(SSL_CTX* ctx)
@@ -110 +117 @@
     }
 };
-template<> struct deleter<uint8_t[]> {
-    void operator()(uint8_t* buffer)
+template<> struct deleter<CRYPTO_BUFFER> {
+    void operator()(CRYPTO_BUFFER* buffer)
     {
-        OPENSSL_free(buffer);
-    }
-};
+        CRYPTO_BUFFER_free(buffer);
+    }
+};
+namespace ssl {
+template <typename T> using unique_ptr = std::unique_ptr<T, deleter<T>>;
+}
 #endif // HAVE(SSL)
 
@@ -125 +135 @@
 
 #if HAVE(SSL)
-TCPServer::TCPServer(Protocol protocol, Function<void(SSL*)>&& secureConnectionHandler)
-{
-    auto startSecureConnection = [secureConnectionHandler = WTFMove(secureConnectionHandler), protocol] (Socket socket) {
+TCPServer::TCPServer(Protocol protocol, Function<void(SSL*)>&& secureConnectionHandler, Optional<uint16_t> maxTLSVersion)
+{
+    auto startSecureConnection = [secureConnectionHandler = WTFMove(secureConnectionHandler), protocol, maxTLSVersion] (Socket socket) {
         SSL_library_init();
 
-        std::unique_ptr<SSL_CTX, deleter<SSL_CTX>> ctx(SSL_CTX_new(SSLv23_server_method()));
+        ssl::unique_ptr<SSL_CTX> ctx(SSL_CTX_new(TLS_with_buffers_method()));
 
         // This is a test certificate from BoringSSL.
-        char kCertPEM[] =
-        "-----BEGIN CERTIFICATE-----\n"
-        "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV\n"
-        "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"
-        "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF\n"
-        "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"
-        "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"
-        "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci\n"
-        "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV\n"
-        "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV\n"
-        "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f\n"
-        "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht\n"
-        "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr\n"
-        "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f\n"
-        "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==\n"
-        "-----END CERTIFICATE-----\n";
-
-        std::unique_ptr<BIO, deleter<BIO>> certBIO(BIO_new_mem_buf(kCertPEM, strlen(kCertPEM)));
-        std::unique_ptr<X509, deleter<X509>> certX509(PEM_read_bio_X509(certBIO.get(), nullptr, nullptr, nullptr));
-        ASSERT(certX509);
-        SSL_CTX_use_certificate(ctx.get(), certX509.get());
-
-        if (protocol == Protocol::HTTPSWithClientCertificateRequest) {
-            SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
-            SSL_CTX_set_cert_verify_callback(ctx.get(), [] (X509_STORE_CTX* store_ctx, void*) -> int {
-                uint8_t* bufferPointer = nullptr;
-                auto length = i2d_X509(store_ctx->cert, &bufferPointer);
-                std::unique_ptr<uint8_t[], deleter<uint8_t[]>> buffer(bufferPointer);
-                auto expectedCert = testCertificate();
-                EXPECT_EQ(static_cast<int>(expectedCert.size()), length);
-                for (int i = 0; i < length; ++i)
-                    EXPECT_EQ(buffer.get()[i], expectedCert[i]);
-                return 1;
-            }, nullptr);
-        }
+        String certPEM(
+        "MIICWDCCAcGgAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV"
+        "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX"
+        "aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF"
+        "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50"
+        "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB"
+        "gQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLci"
+        "HnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfV"
+        "W28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNV"
+        "HQ4EFgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4f"
+        "Zbf6Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA76Hht"
+        "ldY9avcTGSwbwoiuIqv0jTL1fHFnzy3RHMLDh+Lpvolc5DSrSJHCP5WuK0eeJXhr"
+        "T5oQpHL9z/cCDLAKCKRa4uV0fhEdOWBqyR9p8y5jJtye72t6CuFUV5iqcpF4BH4f"
+        "j2VNHwsSrJwkD4QUGlUtH7vwnQmyCFxZMmWAJg==");
+        Vector<uint8_t> certDER;
+        base64Decode(certPEM, certDER, WTF::Base64DecodeOptions::Base64Default);
+        ssl::unique_ptr<CRYPTO_BUFFER> cert(CRYPTO_BUFFER_new(certDER.data(), certDER.size(), nullptr));
+        ASSERT(cert);
 
         // This is a test key from BoringSSL.
@@ -187 +180 @@
         "-----END RSA PRIVATE KEY-----\n";
 
-        std::unique_ptr<BIO, deleter<BIO>> privateKeyBIO(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
-        std::unique_ptr<EVP_PKEY, deleter<EVP_PKEY>> privateKey(PEM_read_bio_PrivateKey(privateKeyBIO.get(), nullptr, nullptr, nullptr));
+        ssl::unique_ptr<BIO> privateKeyBIO(BIO_new_mem_buf(kKeyPEM, strlen(kKeyPEM)));
+        ssl::unique_ptr<EVP_PKEY> privateKey(PEM_read_bio_PrivateKey(privateKeyBIO.get(), nullptr, nullptr, nullptr));
         ASSERT(privateKey);
-        SSL_CTX_use_PrivateKey(ctx.get(), privateKey.get());
-
-        std::unique_ptr<SSL, deleter<SSL>> ssl(SSL_new(ctx.get()));
+
+        SSL_CTX_set_chain_and_key(ctx.get(), reinterpret_cast<CRYPTO_BUFFER *const *>(&cert), 1, privateKey.get(), nullptr);
+
+        if (protocol == Protocol::HTTPSWithClientCertificateRequest) {
+            SSL_CTX_set_custom_verify(ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, [] (SSL* ssl, uint8_t*) -> ssl_verify_result_t {
+                auto chain = SSL_get0_peer_certificates(ssl);
+                EXPECT_EQ(sk_CRYPTO_BUFFER_num(chain), 2u);
+                auto cert = sk_CRYPTO_BUFFER_value(chain, 0);
+                auto expectedCert = testCertificate();
+                EXPECT_EQ(CRYPTO_BUFFER_len(cert), expectedCert.size());
+                EXPECT_TRUE(!memcmp(CRYPTO_BUFFER_data(cert), expectedCert.data(), expectedCert.size()));
+                return ssl_verify_ok;
+            });
+        }
+
+        if (maxTLSVersion)
+            SSL_CTX_set_max_proto_version(ctx.get(), *maxTLSVersion);
+
+        ssl::unique_ptr<SSL> ssl(SSL_new(ctx.get()));
         ASSERT(ssl);
         SSL_set_fd(ssl.get(), socket);
 
         auto acceptResult = SSL_accept(ssl.get());
-        ASSERT_UNUSED(acceptResult, acceptResult > 0);
-        
-        secureConnectionHandler(ssl.get());
+        secureConnectionHandler(acceptResult > 0 ? ssl.get() : nullptr);
     };
 
@@ -240 +247 @@
             }));
         }
+        close(listeningSocket);
     });
 }

trunk/Tools/TestWebKitAPI/TCPServer.h ¶

@@ -28 +28 @@
 #include <thread>
 #include <wtf/Function.h>
+#include <wtf/Optional.h>
 #include <wtf/Vector.h>
 
@@ -47 +48 @@
         HTTPS, HTTPSProxy, HTTPSWithClientCertificateRequest
     };
-    TCPServer(Protocol, Function<void(SSL*)>&&);
+    TCPServer(Protocol, Function<void(SSL*)>&&, Optional<uint16_t> maxTLSVersion = WTF::nullopt);
 #endif // HAVE(SSL)
     ~TCPServer();

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj ¶

@@ -1866 +1866 @@
                 5C6E27A6224EEBEA00128736 /* URLCanonicalization.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = URLCanonicalization.mm; sourceTree = "<group>"; };
                 5C7148942123A40700FDE3C5 /* WKWebsiteDatastore.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WKWebsiteDatastore.mm; sourceTree = "<group>"; };
+                5C73A81A2323059800DEA85A /* TLSDeprecation.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = TLSDeprecation.mm; sourceTree = "<group>"; };
                 5C75715F221249BD00B9E5AC /* BundleRetainPagePlugIn.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = BundleRetainPagePlugIn.mm; sourceTree = "<group>"; };
                 5C79640F1EB0269B0075D74C /* EventModifiers.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EventModifiers.cpp; sourceTree = "<group>"; };
@@ -2874 +2875 @@
                                 5C16F8FB230C942B0074C4A8 /* TextSize.mm */,
                                 C22FA32A228F8708009D7988 /* TextWidth.mm */,
+                                5C73A81A2323059800DEA85A /* TLSDeprecation.mm */,
                                 5CB40B4D1F4B98BE007DC7B9 /* UIDelegate.mm */,
                                 5C3A77A922F20B8A003827FF /* UploadDirectory.mm */,

trunk/Tools/TestWebKitAPI/cocoa/TestNavigationDelegate.h ¶

@@ -38 +38 @@
 @property (nonatomic, copy) void (^renderingProgressDidChange)(WKWebView *, _WKRenderingProgressEvents);
 @property (nonatomic, copy) void (^webContentProcessDidTerminate)(WKWebView *);
+@property (nonatomic, copy) void (^didReceiveAuthenticationChallenge)(WKWebView *, NSURLAuthenticationChallenge *, void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *));
 
 - (void)waitForDidStartProvisionalNavigation;
 - (void)waitForDidFinishNavigation;
+- (void)waitForDidFailProvisionalNavigation;
 
 @end

trunk/Tools/TestWebKitAPI/cocoa/TestNavigationDelegate.mm ¶

@@ -76 +76 @@
 }
 
+- (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler
+{
+    if (_didReceiveAuthenticationChallenge)
+        _didReceiveAuthenticationChallenge(webView, challenge, completionHandler);
+    else
+        completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
+}
+
 - (void)waitForDidStartProvisionalNavigation
 {
@@ -102 +110 @@
 
     self.didFinishNavigation = nil;
+}
+
+- (void)waitForDidFailProvisionalNavigation
+{
+    EXPECT_FALSE(self.didFailProvisionalNavigation);
+
+    __block bool finished = false;
+    self.didFailProvisionalNavigation = ^(WKWebView *, WKNavigation *, NSError *) {
+        finished = true;
+    };
+
+    TestWebKitAPI::Util::run(&finished);
+
+    self.didFailProvisionalNavigation = nil;
 }