Changeset 255461 in webkit
- Timestamp:
- Jan 30, 2020, 2:53:22 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 39 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/PAL/ChangeLog
r255455 r255461 1 2020-01-30 Alex Christensen <achristensen@webkit.org> 2 3 Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1 4 https://bugs.webkit.org/show_bug.cgi?id=206979 5 6 Reviewed by Brady Eidson. 7 8 * pal/spi/cf/CFNetworkSPI.h: 9 1 10 2020-01-30 Jonathan Bedard <jbedard@apple.com> 2 11 -
trunk/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h
r255455 r255461 108 108 109 109 #if defined(__OBJC__) 110 111 @interface NSURLSessionTask () 112 @property (readonly, retain) NSURLSessionTaskMetrics* _incompleteTaskMetrics; 113 @end 110 114 111 115 @interface NSURLCache () … … 401 405 @interface NSURLSessionTask () 402 406 - (void)_setExplicitCookieStorage:(CFHTTPCookieStorageRef)storage; 407 @property (readonly) SSLProtocol _TLSNegotiatedProtocolVersion; 403 408 @end 404 409 -
trunk/Source/WebKit/ChangeLog
r255458 r255461 1 2020-01-30 Alex Christensen <achristensen@webkit.org> 2 3 Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1 4 https://bugs.webkit.org/show_bug.cgi?id=206979 5 6 Reviewed by Brady Eidson. 7 8 * NetworkProcess/NetworkCORSPreflightChecker.cpp: 9 (WebKit::NetworkCORSPreflightChecker::didReceiveChallenge): 10 * NetworkProcess/NetworkCORSPreflightChecker.h: 11 * NetworkProcess/NetworkDataTask.h: 12 * NetworkProcess/NetworkLoad.cpp: 13 (WebKit::NetworkLoad::didReceiveChallenge): 14 * NetworkProcess/NetworkLoad.h: 15 * NetworkProcess/NetworkProcessCreationParameters.cpp: 16 (WebKit::NetworkProcessCreationParameters::encode const): 17 (WebKit::NetworkProcessCreationParameters::decode): 18 * NetworkProcess/NetworkProcessCreationParameters.h: 19 * NetworkProcess/NetworkSessionCreationParameters.cpp: 20 (WebKit::NetworkSessionCreationParameters::encode const): 21 (WebKit::NetworkSessionCreationParameters::decode): 22 * NetworkProcess/NetworkSessionCreationParameters.h: 23 * NetworkProcess/PingLoad.cpp: 24 (WebKit::PingLoad::didReceiveChallenge): 25 * NetworkProcess/PingLoad.h: 26 * NetworkProcess/cocoa/NetworkDataTaskCocoa.h: 27 * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm: 28 (WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa): 29 (WebKit::NetworkDataTaskCocoa::didReceiveChallenge): 30 (WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection): 31 * NetworkProcess/cocoa/NetworkProcessCocoa.mm: 32 (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa): 33 * NetworkProcess/cocoa/NetworkSessionCocoa.h: 34 * NetworkProcess/cocoa/NetworkSessionCocoa.mm: 35 (processServerTrustEvaluation): 36 (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]): 37 (WebKit::NetworkSessionCocoa::NetworkSessionCocoa): 38 (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge): 39 * Shared/Authentication/AuthenticationManager.cpp: 40 (WebKit::AuthenticationManager::didReceiveAuthenticationChallenge): 41 * Shared/Authentication/AuthenticationManager.h: 42 * UIProcess/API/APINavigationClient.h: 43 (API::NavigationClient::shouldAllowLegacyTLS): 44 * UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h: 45 * UIProcess/Cocoa/NavigationState.h: 46 * UIProcess/Cocoa/NavigationState.mm: 47 (WebKit::NavigationState::setNavigationDelegate): 48 (WebKit::systemAllowsLegacyTLSFor): 49 (WebKit::NavigationState::NavigationClient::shouldAllowLegacyTLS): 50 * UIProcess/Cocoa/WebProcessPoolCocoa.mm: 51 (WebKit::WebProcessPool::platformInitializeNetworkProcess): 52 * UIProcess/Network/NetworkProcessProxy.cpp: 53 (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge): 54 * UIProcess/Network/NetworkProcessProxy.h: 55 * UIProcess/Network/NetworkProcessProxy.messages.in: 56 * UIProcess/WebPageProxy.cpp: 57 * UIProcess/WebPageProxy.h: 58 * UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm: 59 (WebKit::WebsiteDataStore::parameters): 60 * UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h: 61 1 62 2020-01-30 Tim Horton <timothy_horton@apple.com> 2 63 -
trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp
r250053 r255461 89 89 } 90 90 91 void NetworkCORSPreflightChecker::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)91 void NetworkCORSPreflightChecker::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler) 92 92 { 93 93 RELEASE_LOG_IF_ALLOWED("didReceiveChallenge, authentication scheme: %u", challenge.protectionSpace().authenticationScheme()); … … 102 102 } 103 103 104 m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_parameters.sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));104 m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_parameters.sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler)); 105 105 } 106 106 -
trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h
r249714 r255461 69 69 private: 70 70 void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final; 71 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;71 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final; 72 72 void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final; 73 73 void didReceiveData(Ref<WebCore::SharedBuffer>&&) final; -
trunk/Source/WebKit/NetworkProcess/NetworkDataTask.h
r252274 r255461 53 53 class PendingDownload; 54 54 enum class AuthenticationChallengeDisposition : uint8_t; 55 enum class NegotiatedLegacyTLS : bool; 55 56 56 57 using RedirectCompletionHandler = CompletionHandler<void(WebCore::ResourceRequest&&)>; … … 61 62 public: 62 63 virtual void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) = 0; 63 virtual void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) = 0;64 virtual void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) = 0; 64 65 virtual void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) = 0; 65 66 virtual void didReceiveData(Ref<WebCore::SharedBuffer>&&) = 0; -
trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp
r254345 r255461 188 188 } 189 189 190 void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)190 void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler) 191 191 { 192 192 m_client.get().didReceiveChallenge(challenge); … … 204 204 m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(*pendingDownload, challenge, WTFMove(completionHandler)); 205 205 else 206 m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_task->sessionID(), m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));206 m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_task->sessionID(), m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler)); 207 207 } 208 208 -
trunk/Source/WebKit/NetworkProcess/NetworkLoad.h
r245979 r255461 74 74 // NetworkDataTaskClient 75 75 void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final; 76 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;76 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final; 77 77 void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final; 78 78 void didReceiveData(Ref<WebCore::SharedBuffer>&&) final; -
trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp
r254873 r255461 78 78 encoder << hstsStorageDirectory; 79 79 encoder << hstsStorageDirectoryExtensionHandle; 80 encoder << enableLegacyTLS;81 80 } 82 81 … … 180 179 if (!decoder.decode(result.hstsStorageDirectoryExtensionHandle)) 181 180 return false; 182 183 if (!decoder.decode(result.enableLegacyTLS))184 return false;185 181 186 182 return true; -
trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h
r254931 r255461 98 98 String hstsStorageDirectory; 99 99 SandboxExtension::Handle hstsStorageDirectoryExtensionHandle; 100 bool enableLegacyTLS { false };101 100 }; 102 101 -
trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp
r254556 r255461 52 52 encoder << httpProxy; 53 53 encoder << httpsProxy; 54 encoder << enableLegacyTLS;55 54 #endif 56 55 #if USE(SOUP) … … 138 137 decoder >> httpsProxy; 139 138 if (!httpsProxy) 140 return WTF::nullopt;141 142 Optional<bool> enableLegacyTLS;143 decoder >> enableLegacyTLS;144 if (!enableLegacyTLS)145 139 return WTF::nullopt; 146 140 #endif … … 289 283 , WTFMove(*httpProxy) 290 284 , WTFMove(*httpsProxy) 291 , WTFMove(*enableLegacyTLS)292 285 #endif 293 286 #if USE(SOUP) -
trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h
r254556 r255461 71 71 URL httpProxy; 72 72 URL httpsProxy; 73 bool enableLegacyTLS { false };74 73 #endif 75 74 #if USE(SOUP) -
trunk/Source/WebKit/NetworkProcess/PingLoad.cpp
r251547 r255461 147 147 } 148 148 149 void PingLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)149 void PingLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler) 150 150 { 151 151 RELEASE_LOG_IF_ALLOWED("didReceiveChallenge"); 152 152 if (challenge.protectionSpace().authenticationScheme() == ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested) { 153 m_networkLoadChecker->networkProcess().authenticationManager().didReceiveAuthenticationChallenge(m_sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));153 m_networkLoadChecker->networkProcess().authenticationManager().didReceiveAuthenticationChallenge(m_sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler)); 154 154 return; 155 155 } -
trunk/Source/WebKit/NetworkProcess/PingLoad.h
r251547 r255461 53 53 54 54 void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final; 55 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;55 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final; 56 56 void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final; 57 57 void didReceiveData(Ref<WebCore::SharedBuffer>&&) final; -
trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h
r253702 r255461 53 53 54 54 void didSendData(uint64_t totalBytesSent, uint64_t totalBytesExpectedToSend); 55 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&);55 void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&); 56 56 void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&); 57 57 void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&); -
trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
r253702 r255461 53 53 #endif 54 54 55 #if __has_include(<WebKitAdditions/NetworkDataTaskCocoaAdditions.h>)56 #include <WebKitAdditions/NetworkDataTaskCocoaAdditions.h>57 #else58 #define NETWORK_DATA_TASK_COCOA_ADDITIONS_159 #define NETWORK_DATA_TASK_COCOA_ADDITIONS_260 #endif61 62 55 #if HAVE(OS_SIGNPOST) 63 56 … … 286 279 287 280 m_task = [m_sessionWrapper.session dataTaskWithRequest:nsRequest]; 288 289 NETWORK_DATA_TASK_COCOA_ADDITIONS_1;290 281 291 282 BEGIN_SIGNPOST(m_task, "%{public}s pri: %f preconnect: %d", url.string().ascii().data(), toNSURLSessionTaskPriority(request.priority()), shouldPreconnectOnly == PreconnectOnly::Yes); … … 349 340 } 350 341 351 void NetworkDataTaskCocoa::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)342 void NetworkDataTaskCocoa::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler) 352 343 { 353 344 EMIT_SIGNPOST(m_task, "received challenge"); … … 357 348 358 349 if (m_client) 359 m_client->didReceiveChallenge(WTFMove(challenge), WTFMove(completionHandler));350 m_client->didReceiveChallenge(WTFMove(challenge), negotiatedLegacyTLS, WTFMove(completionHandler)); 360 351 else { 361 352 ASSERT_NOT_REACHED(); … … 461 452 if (!request.isNull()) 462 453 restrictRequestReferrerToOriginIfNeeded(request); 463 464 NETWORK_DATA_TASK_COCOA_ADDITIONS_2;465 466 454 completionHandler(WTFMove(request)); 467 455 }); -
trunk/Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm
r254873 r255461 71 71 void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters) 72 72 { 73 WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(parameters.enableLegacyTLS);74 75 73 WebCore::setApplicationBundleIdentifier(parameters.uiProcessBundleIdentifier); 76 74 WebCore::setApplicationSDKVersion(parameters.uiProcessSDKVersion); -
trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h
r254081 r255461 46 46 namespace WebKit { 47 47 48 enum class NegotiatedLegacyTLS : bool; 48 49 class LegacyCustomProtocolManager; 49 50 class NetworkSessionCocoa; … … 79 80 static bool allowsSpecificHTTPSCertificateForHost(const WebCore::AuthenticationChallenge&); 80 81 81 void continueDidReceiveChallenge(SessionWrapper&, const WebCore::AuthenticationChallenge&, Ne tworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&);82 void continueDidReceiveChallenge(SessionWrapper&, const WebCore::AuthenticationChallenge&, NegotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&); 82 83 83 84 SessionWrapper& sessionWrapperForDownloads() { return m_sessionWithCredentialStorage; } -
trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
r254873 r255461 597 597 598 598 #if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE) 599 static inline void processServerTrustEvaluation(NetworkSessionCocoa *session, SessionWrapper& sessionWrapper, NSURLAuthenticationChallenge *challenge, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler)600 { 601 session ->continueDidReceiveChallenge(sessionWrapper, challenge, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {599 static inline void processServerTrustEvaluation(NetworkSessionCocoa& session, SessionWrapper& sessionWrapper, NSURLAuthenticationChallenge *challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler) 600 { 601 session.continueDidReceiveChallenge(sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable { 602 602 // FIXME: UIProcess should send us back non nil credentials but the credential IPC encoder currently only serializes ns credentials for username/password. 603 603 if (disposition == WebKit::AuthenticationChallengeDisposition::UseCredential && !credential.nsCredential()) { … … 629 629 } 630 630 631 NegotiatedLegacyTLS negotiatedLegacyTLS = NegotiatedLegacyTLS::No; 632 631 633 if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { 632 634 if (NetworkSessionCocoa::allowsSpecificHTTPSCertificateForHost(challenge)) 633 635 return completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); 634 636 637 #if HAVE(TLS_PROTOCOL_VERSION_T) 638 NSURLSessionTaskTransactionMetrics *metrics = task._incompleteTaskMetrics.transactionMetrics.lastObject; 639 auto tlsVersion = (tls_protocol_version_t)metrics.negotiatedTLSProtocolVersion.unsignedShortValue; 640 if (tlsVersion == tls_protocol_version_TLSv10 || tlsVersion == tls_protocol_version_TLSv11) 641 negotiatedLegacyTLS = NegotiatedLegacyTLS::Yes; 642 #endif 643 ALLOW_DEPRECATED_DECLARATIONS_BEGIN 644 if (negotiatedLegacyTLS == NegotiatedLegacyTLS::No && [task respondsToSelector:@selector(_TLSNegotiatedProtocolVersion)]) { 645 SSLProtocol tlsVersion = [task _TLSNegotiatedProtocolVersion]; 646 if (tlsVersion == kTLSProtocol11 || tlsVersion == kTLSProtocol1) 647 negotiatedLegacyTLS = NegotiatedLegacyTLS::Yes; 648 } 649 ALLOW_DEPRECATED_DECLARATIONS_END 650 635 651 // Handle server trust evaluation at platform-level if requested, for performance reasons and to use ATS defaults. 636 if (sessionCocoa->fastServerTrustEvaluationEnabled() ) {652 if (sessionCocoa->fastServerTrustEvaluationEnabled() && negotiatedLegacyTLS == NegotiatedLegacyTLS::No) { 637 653 #if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE) 638 654 auto* networkDataTask = [self existingTask:task]; 639 655 ASSERT(networkDataTask); 640 auto decisionHandler = makeBlockPtr([weakSelf = WeakObjCPtr<WKNetworkSessionDelegate>(self), sessionCocoa = makeWeakPtr(sessionCocoa), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = RefPtr<NetworkDataTaskCocoa>(networkDataTask)](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable {656 auto decisionHandler = makeBlockPtr([weakSelf = WeakObjCPtr<WKNetworkSessionDelegate>(self), sessionCocoa = makeWeakPtr(sessionCocoa), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = makeRefPtr(networkDataTask), negotiatedLegacyTLS](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable { 641 657 auto strongSelf = weakSelf.get(); 642 658 if (!strongSelf) … … 648 664 return; 649 665 } 650 processServerTrustEvaluation( session, *strongSelf->_sessionWrapper, challenge, taskIdentifier, task.get(), WTFMove(completionHandler));666 processServerTrustEvaluation(*session, *strongSelf->_sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, task.get(), WTFMove(completionHandler)); 651 667 }); 652 668 [NSURLSession _strictTrustEvaluate:challenge queue:[NSOperationQueue mainQueue].underlyingQueue completionHandler:decisionHandler.get()]; … … 657 673 } 658 674 } 659 sessionCocoa->continueDidReceiveChallenge(*_sessionWrapper, challenge, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {675 sessionCocoa->continueDidReceiveChallenge(*_sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable { 660 676 completionHandler(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential()); 661 677 }); … … 1019 1035 1020 1036 NSURLSessionConfiguration *configuration = configurationForSessionID(m_sessionID); 1021 1022 if (!parameters.enableLegacyTLS) {1023 #if HAVE(TLS_PROTOCOL_VERSION_T)1024 configuration.TLSMinimumSupportedProtocolVersion = tls_protocol_version_TLSv12;1025 #else1026 configuration.TLSMinimumSupportedProtocol = kTLSProtocol12;1027 #endif1028 }1029 1037 1030 1038 #if HAVE(APP_SSO) … … 1298 1306 } 1299 1307 1300 void NetworkSessionCocoa::continueDidReceiveChallenge(SessionWrapper& sessionWrapper, const WebCore::AuthenticationChallenge& challenge, Ne tworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler)1308 void NetworkSessionCocoa::continueDidReceiveChallenge(SessionWrapper& sessionWrapper, const WebCore::AuthenticationChallenge& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler) 1301 1309 { 1302 1310 if (!networkDataTask) { … … 1350 1358 completionHandler(disposition, credential); 1351 1359 }; 1352 networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), WTFMove(challengeCompletionHandler));1360 networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), negotiatedLegacyTLS, WTFMove(challengeCompletionHandler)); 1353 1361 } 1354 1362 -
trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp
r254703 r255461 355 355 } 356 356 357 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {357 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) { 358 358 if (m_state == State::Canceling || m_state == State::Completed) 359 359 return; … … 381 381 void NetworkDataTaskCurl::tryProxyAuthentication(WebCore::AuthenticationChallenge&& challenge) 382 382 { 383 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {383 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) { 384 384 if (m_state == State::Canceling || m_state == State::Completed) 385 385 return; … … 406 406 void NetworkDataTaskCurl::tryServerTrustEvaluation(AuthenticationChallenge&& challenge) 407 407 { 408 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {408 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) { 409 409 if (m_state == State::Canceling || m_state == State::Completed) 410 410 return; -
trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp
r254370 r255461 532 532 void NetworkDataTaskSoup::continueAuthenticate(AuthenticationChallenge&& challenge) 533 533 { 534 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {534 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) { 535 535 if (m_state == State::Canceling || m_state == State::Completed) { 536 536 clearRequest(); -
trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.cpp
r253102 r255461 110 110 } 111 111 112 void AuthenticationManager::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const SecurityOriginData* topOrigin, const AuthenticationChallenge& authenticationChallenge, ChallengeCompletionHandler&& completionHandler)112 void AuthenticationManager::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const SecurityOriginData* topOrigin, const AuthenticationChallenge& authenticationChallenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler) 113 113 { 114 114 if (!pageID) … … 124 124 if (topOrigin) 125 125 topOriginData = *topOrigin; 126 m_process.send(Messages::NetworkProcessProxy::DidReceiveAuthenticationChallenge(sessionID, pageID, topOriginData, authenticationChallenge, challengeID));126 m_process.send(Messages::NetworkProcessProxy::DidReceiveAuthenticationChallenge(sessionID, pageID, topOriginData, authenticationChallenge, negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes, challengeID)); 127 127 } 128 128 -
trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.h
r252274 r255461 58 58 class NetworkProcess; 59 59 class WebFrame; 60 enum class NegotiatedLegacyTLS : bool { No, Yes }; 60 61 61 62 enum class AuthenticationChallengeDisposition : uint8_t; … … 70 71 static const char* supplementName(); 71 72 72 void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const WebCore::SecurityOriginData* , const WebCore::AuthenticationChallenge&, ChallengeCompletionHandler&&);73 void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const WebCore::SecurityOriginData* , const WebCore::AuthenticationChallenge&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&); 73 74 void didReceiveAuthenticationChallenge(IPC::MessageSender& download, const WebCore::AuthenticationChallenge&, ChallengeCompletionHandler&&); 74 75 -
trunk/Source/WebKit/UIProcess/API/APINavigationClient.h
r252492 r255461 97 97 98 98 virtual void didReceiveAuthenticationChallenge(WebKit::WebPageProxy&, WebKit::AuthenticationChallengeProxy& challenge) { challenge.listener().completeChallenge(WebKit::AuthenticationChallengeDisposition::PerformDefaultHandling); } 99 virtual void shouldAllowLegacyTLS(WebKit::WebPageProxy&, WebKit::AuthenticationChallengeProxy&, CompletionHandler<void(bool)>&& completionHandler) { completionHandler(true); } 99 100 virtual bool shouldBypassContentModeSafeguards() const { return false; } 100 101 -
trunk/Source/WebKit/UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h
r252174 r255461 87 87 - (NSData *)_webCryptoMasterKeyForWebView:(WKWebView *)webView; 88 88 89 - (void)_webView:(WKWebView *)webView authenticationChallenge:(NSURLAuthenticationChallenge *)challenge shouldAllowLegacyTLS:(void (^)(BOOL))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA)); 90 89 91 - (void)_webViewDidBeginNavigationGesture:(WKWebView *)webView; 90 92 // Item is nil if the gesture ended without navigation. -
trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.h
r252492 r255461 113 113 114 114 void didReceiveAuthenticationChallenge(WebPageProxy&, AuthenticationChallengeProxy&) override; 115 void shouldAllowLegacyTLS(WebPageProxy&, AuthenticationChallengeProxy&, CompletionHandler<void(bool)>&&) final; 115 116 bool processDidTerminate(WebPageProxy&, ProcessTerminationReason) override; 116 117 void processDidBecomeResponsive(WebPageProxy&) override; … … 216 217 bool webViewRenderingProgressDidChange : 1; 217 218 bool webViewDidReceiveAuthenticationChallengeCompletionHandler : 1; 219 bool webViewAuthenticationChallengeShouldAllowLegacyTLS : 1; 218 220 bool webViewWebContentProcessDidTerminate : 1; 219 221 bool webViewWebContentProcessDidTerminateWithReason : 1; -
trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.mm
r254005 r255461 80 80 #import <wtf/URL.h> 81 81 82 #if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST) 83 #import <pal/ios/ManagedConfigurationSoftLink.h> 84 #import <pal/spi/ios/ManagedConfigurationSPI.h> 85 #endif 86 82 87 #if HAVE(APP_LINKS) 83 88 #import <pal/spi/cocoa/LaunchServicesSPI.h> … … 167 172 m_navigationDelegateMethods.webViewRenderingProgressDidChange = [delegate respondsToSelector:@selector(_webView:renderingProgressDidChange:)]; 168 173 m_navigationDelegateMethods.webViewDidReceiveAuthenticationChallengeCompletionHandler = [delegate respondsToSelector:@selector(webView:didReceiveAuthenticationChallenge:completionHandler:)]; 174 m_navigationDelegateMethods.webViewAuthenticationChallengeShouldAllowLegacyTLS = [delegate respondsToSelector:@selector(_webView:authenticationChallenge:shouldAllowLegacyTLS:)]; 169 175 m_navigationDelegateMethods.webViewWebContentProcessDidTerminate = [delegate respondsToSelector:@selector(webViewWebContentProcessDidTerminate:)]; 170 176 m_navigationDelegateMethods.webViewWebContentProcessDidTerminateWithReason = [delegate respondsToSelector:@selector(_webView:webContentProcessDidTerminateWithReason:)]; … … 974 980 } 975 981 982 static bool systemAllowsLegacyTLSFor(WebPageProxy& page) 983 { 984 bool enableLegacyTLS = page.websiteDataStore().configuration().legacyTLSEnabled(); 985 if (id value = [[NSUserDefaults standardUserDefaults] objectForKey:@"WebKitEnableLegacyTLS"]) 986 enableLegacyTLS = [value boolValue]; 987 if (!enableLegacyTLS) { 988 #if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST) 989 enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes; 990 #elif PLATFORM(MAC) 991 enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr); 992 #endif 993 } 994 return enableLegacyTLS; 995 } 996 997 void NavigationState::NavigationClient::shouldAllowLegacyTLS(WebPageProxy& page, AuthenticationChallengeProxy& authenticationChallenge, CompletionHandler<void(bool)>&& completionHandler) 998 { 999 if (!m_navigationState.m_navigationDelegateMethods.webViewAuthenticationChallengeShouldAllowLegacyTLS) 1000 return completionHandler(systemAllowsLegacyTLSFor(page)); 1001 1002 auto navigationDelegate = m_navigationState.m_navigationDelegate.get(); 1003 if (!navigationDelegate) 1004 return completionHandler(systemAllowsLegacyTLSFor(page)); 1005 1006 auto checker = CompletionHandlerCallChecker::create(navigationDelegate.get(), @selector(_webView:authenticationChallenge:shouldAllowLegacyTLS:)); 1007 [static_cast<id <WKNavigationDelegatePrivate>>(navigationDelegate.get()) _webView:m_navigationState.m_webView authenticationChallenge:wrapper(authenticationChallenge) shouldAllowLegacyTLS:makeBlockPtr([checker = WTFMove(checker), completionHandler = WTFMove(completionHandler)](BOOL shouldAllow) mutable { 1008 if (checker->completionHandlerHasBeenCalled()) 1009 return; 1010 checker->didCallCompletionHandler(); 1011 completionHandler(shouldAllow); 1012 }).get()]; 1013 } 1014 976 1015 static _WKProcessTerminationReason wkProcessTerminationReason(ProcessTerminationReason reason) 977 1016 { -
trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
r255457 r255461 385 385 } 386 386 387 parameters.enableLegacyTLS = false;388 if (id value = [defaults objectForKey:@"WebKitEnableLegacyTLS"])389 parameters.enableLegacyTLS = [value boolValue];390 if (!parameters.enableLegacyTLS) {391 #if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)392 parameters.enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;393 #elif PLATFORM(MAC)394 parameters.enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);395 #endif396 }397 parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = parameters.enableLegacyTLS;398 399 387 parameters.networkATSContext = adoptCF(_CFNetworkCopyATSContext()); 400 388 -
trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp
r255147 r255461 29 29 #include "APIContentRuleList.h" 30 30 #include "AuthenticationChallengeProxy.h" 31 #include "AuthenticationManager.h" 31 32 #include "DownloadProxyMap.h" 32 33 #include "DownloadProxyMessages.h" … … 327 328 } 328 329 329 void NetworkProcessProxy::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const Optional<SecurityOriginData>& topOrigin, WebCore::AuthenticationChallenge&& coreChallenge, uint64_t challengeID)330 void NetworkProcessProxy::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const Optional<SecurityOriginData>& topOrigin, WebCore::AuthenticationChallenge&& coreChallenge, bool negotiatedLegacyTLS, uint64_t challengeID) 330 331 { 331 332 #if HAVE(SEC_KEY_PROXY) … … 348 349 349 350 if (page) { 350 page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge) );351 page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge), negotiatedLegacyTLS ? NegotiatedLegacyTLS::Yes : NegotiatedLegacyTLS::No); 351 352 return; 352 353 } … … 357 358 } 358 359 359 WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge) ](auto* page) mutable {360 WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge), negotiatedLegacyTLS](auto* page) mutable { 360 361 if (!weakThis) 361 362 return; 362 363 363 364 if (page) { 364 page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge) );365 page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge), negotiatedLegacyTLS ? NegotiatedLegacyTLS::Yes : NegotiatedLegacyTLS::No); 365 366 return; 366 367 } -
trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.h
r254706 r255461 236 236 // Message handlers 237 237 void didReceiveNetworkProcessProxyMessage(IPC::Connection&, IPC::Decoder&); 238 void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const Optional<WebCore::SecurityOriginData>&, WebCore::AuthenticationChallenge&&, uint64_t challengeID);238 void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const Optional<WebCore::SecurityOriginData>&, WebCore::AuthenticationChallenge&&, bool, uint64_t challengeID); 239 239 void didFetchWebsiteData(uint64_t callbackID, const WebsiteData&); 240 240 void didDeleteWebsiteData(uint64_t callbackID); -
trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in
r254706 r255461 22 22 23 23 messages -> NetworkProcessProxy LegacyReceiver NotRefCounted { 24 DidReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebKit::WebPageProxyIdentifier pageID, Optional<WebCore::SecurityOriginData> topOrigin, WebCore::AuthenticationChallenge challenge, uint64_t challengeID)24 DidReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebKit::WebPageProxyIdentifier pageID, Optional<WebCore::SecurityOriginData> topOrigin, WebCore::AuthenticationChallenge challenge, bool negotiatedLegacyTLS, uint64_t challengeID) 25 25 26 26 DidFetchWebsiteData(uint64_t callbackID, struct WebKit::WebsiteData websiteData) -
trunk/Source/WebKit/UIProcess/WebPageProxy.cpp
r255458 r255461 57 57 #include "AuthenticationChallengeProxy.h" 58 58 #include "AuthenticationDecisionListener.h" 59 #include "AuthenticationManager.h" 59 60 #include "AuthenticatorManager.h" 60 61 #include "DataReference.h" … … 7707 7708 #endif 7708 7709 7709 void WebPageProxy::didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& authenticationChallenge) 7710 { 7710 void WebPageProxy::didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& authenticationChallenge, NegotiatedLegacyTLS negotiatedLegacyTLS) 7711 { 7712 if (negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes) { 7713 m_navigationClient->shouldAllowLegacyTLS(*this, authenticationChallenge.get(), [this, protectedThis = makeRef(*this), authenticationChallenge = authenticationChallenge.copyRef()] (bool shouldAllowLegacyTLS) { 7714 if (shouldAllowLegacyTLS) 7715 m_navigationClient->didReceiveAuthenticationChallenge(*this, authenticationChallenge.get()); 7716 else 7717 authenticationChallenge->listener().completeChallenge(AuthenticationChallengeDisposition::Cancel); 7718 }); 7719 return; 7720 } 7711 7721 m_navigationClient->didReceiveAuthenticationChallenge(*this, authenticationChallenge.get()); 7712 7722 } -
trunk/Source/WebKit/UIProcess/WebPageProxy.h
r255385 r255461 338 338 struct UserMessage; 339 339 340 enum class NegotiatedLegacyTLS : bool; 340 341 enum class ProcessSwapRequestedByClient; 341 342 enum class UndoOrRedo : bool; … … 1334 1335 WebCore::IntSize viewportSizeForCSSViewportUnits() const { return m_viewportSizeForCSSViewportUnits.valueOr(WebCore::IntSize()); } 1335 1336 1336 void didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& );1337 void didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&&, NegotiatedLegacyTLS); 1337 1338 1338 1339 SpellDocumentTag spellDocumentTag(); -
trunk/Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm
r254556 r255461 86 86 bool enableResourceLoadStatisticsDebugMode = false; 87 87 auto firstPartyWebsiteDataRemovalMode = WebCore::FirstPartyWebsiteDataRemovalMode::AllButCookies; 88 bool enableLegacyTLS = configuration().legacyTLSEnabled();89 if (id value = [defaults objectForKey:@"WebKitEnableLegacyTLS"])90 enableLegacyTLS = [value boolValue];91 if (!enableLegacyTLS) {92 #if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)93 enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;94 #elif PLATFORM(MAC)95 enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);96 #endif97 }98 88 WebCore::RegistrableDomain resourceLoadStatisticsManualPrevalentResource { }; 99 89 #if ENABLE(RESOURCE_LOAD_STATISTICS) … … 165 155 WTFMove(httpProxy), 166 156 WTFMove(httpsProxy), 167 enableLegacyTLS,168 157 WTFMove(resourceLoadStatisticsDirectory), 169 158 WTFMove(resourceLoadStatisticsDirectoryHandle), -
trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h
r254344 r255461 185 185 bool m_allLoadsBlockedByDeviceManagementRestrictionsForTesting { false }; 186 186 bool m_allowsCellularAccess { true }; 187 bool m_legacyTLSEnabled { false };187 bool m_legacyTLSEnabled { true }; 188 188 bool m_fastServerTrustEvaluationEnabled { false }; 189 189 bool m_serviceWorkerProcessTerminationDelayEnabled { true }; -
trunk/Source/WebKitLegacy/mac/ChangeLog
r255372 r255461 1 2020-01-30 Alex Christensen <achristensen@webkit.org> 2 3 Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1 4 https://bugs.webkit.org/show_bug.cgi?id=206979 5 6 Reviewed by Brady Eidson. 7 8 * WebView/WebView.mm: 9 (-[WebView _commonInitializationWithFrameName:groupName:]): 10 1 11 2020-01-29 Tim Horton <timothy_horton@apple.com> 2 12 -
trunk/Source/WebKitLegacy/mac/WebView/WebView.mm
r255234 r255461 1422 1422 WebCore::DeprecatedGlobalSettings::setShouldManageAudioSessionCategory(true); 1423 1423 #endif 1424 1425 bool enableLegacyTLS = false;1426 if (id value = [[NSUserDefaults standardUserDefaults] objectForKey:@"WebKitEnableLegacyTLS"])1427 enableLegacyTLS = [value boolValue];1428 if (!enableLegacyTLS) {1429 #if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)1430 enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;1431 #elif PLATFORM(MAC)1432 enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);1433 #endif1434 }1435 WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(enableLegacyTLS);1436 1437 1424 didOneTimeInitialization = true; 1438 1425 } -
trunk/Tools/ChangeLog
r255455 r255461 1 2020-01-30 Alex Christensen <achristensen@webkit.org> 2 3 Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1 4 https://bugs.webkit.org/show_bug.cgi?id=206979 5 6 Reviewed by Brady Eidson. 7 8 * MiniBrowser/mac/SettingsController.m: 9 * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm: 10 (-[TLSNavigationDelegate waitForDidFinishNavigation]): 11 (-[TLSNavigationDelegate waitForDidFailProvisionalNavigation]): 12 (-[TLSNavigationDelegate receivedShouldAllowLegacyTLS]): 13 (-[TLSNavigationDelegate webView:didReceiveAuthenticationChallenge:completionHandler:]): 14 (-[TLSNavigationDelegate webView:didFinishNavigation:]): 15 (-[TLSNavigationDelegate webView:didFailProvisionalNavigation:withError:]): 16 (-[TLSNavigationDelegate _webView:authenticationChallenge:shouldAllowLegacyTLS:]): 17 (TestWebKitAPI::TEST): 18 1 19 2020-01-30 Jonathan Bedard <jbedard@apple.com> 2 20 -
trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm
r254344 r255461 44 44 #endif 45 45 46 @interface WebSocketDelegate : NSObject <WKUIDelegate, WebUIDelegate> 47 - (NSString *)waitForMessage; 46 @interface TLSNavigationDelegate : NSObject <WKNavigationDelegate> 47 - (void)waitForDidFinishNavigation; 48 - (void)waitForDidFailProvisionalNavigation; 49 - (bool)receivedShouldAllowLegacyTLS; 50 @property (nonatomic) bool shouldAllowLegacyTLS; 48 51 @end 49 52 50 @implementation WebSocketDelegate { 51 RetainPtr<NSString> _message; 52 } 53 54 - (NSString *)waitForMessage 55 { 56 while (!_message) 53 @implementation TLSNavigationDelegate { 54 bool _navigationFinished; 55 bool _navigationFailed; 56 bool _receivedShouldAllowLegacyTLS; 57 } 58 59 - (void)waitForDidFinishNavigation 60 { 61 while (!_navigationFinished) 57 62 TestWebKitAPI::Util::spinRunLoop(); 58 return _message.autorelease(); 59 } 60 61 - (void)webView:(WKWebView *)webView runJavaScriptAlertPanelWithMessage:(NSString *)message initiatedByFrame:(WKFrameInfo *)frame completionHandler:(void (^)(void))completionHandler 62 { 63 _message = message; 64 completionHandler(); 65 } 66 67 - (void)webView:(WebView *)sender runJavaScriptAlertPanelWithMessage:(NSString *)message initiatedByFrame:(WebFrame *)frame 68 { 69 _message = message; 63 } 64 65 - (void)waitForDidFailProvisionalNavigation 66 { 67 while (!_navigationFailed) 68 TestWebKitAPI::Util::spinRunLoop(); 69 } 70 71 - (bool)receivedShouldAllowLegacyTLS 72 { 73 return _receivedShouldAllowLegacyTLS; 74 } 75 76 - (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * credential))completionHandler 77 { 78 EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust); 79 completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); 80 } 81 82 - (void)webView:(WKWebView *)webView didFinishNavigation:(WKNavigation *)navigation 83 { 84 _navigationFinished = true; 85 } 86 87 - (void)webView:(WKWebView *)webView didFailProvisionalNavigation:(WKNavigation *)navigation withError:(NSError *)error 88 { 89 _navigationFailed = true; 90 } 91 92 - (void)_webView:(WKWebView *)webView authenticationChallenge:(NSURLAuthenticationChallenge *)challenge shouldAllowLegacyTLS:(void (^)(BOOL))completionHandler 93 { 94 _receivedShouldAllowLegacyTLS = true; 95 completionHandler([self shouldAllowLegacyTLS]); 70 96 } 71 97 72 98 @end 99 73 100 74 101 namespace TestWebKitAPI { … … 77 104 static NSString *defaultsKey = @"WebKitEnableLegacyTLS"; 78 105 79 TEST(WebKit, TLSVersionWebSocket) 80 { 81 auto getWebSocketEvent = [] (bool clientAllowDeprecatedTLS, bool serverLimitTLS) { 82 Optional<uint16_t> maxServerTLSVersion; 83 if (serverLimitTLS) 84 maxServerTLSVersion = tls1_1; 85 TCPServer server(TCPServer::Protocol::HTTPS, [=](SSL *ssl) { 86 EXPECT_TRUE(!ssl == (clientAllowDeprecatedTLS != serverLimitTLS)); 87 }, maxServerTLSVersion); 88 89 if (clientAllowDeprecatedTLS) 90 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey]; 91 92 auto webView = adoptNS([TestWKWebView new]); 93 auto delegate = adoptNS([WebSocketDelegate new]); 94 [webView setUIDelegate:delegate.get()]; 95 [webView synchronouslyLoadHTMLString:@"start network process"]; 96 [[webView configuration].processPool _allowAnyTLSCertificateForWebSocketTesting]; 97 [webView synchronouslyLoadHTMLString:[NSString stringWithFormat: 98 @"<script>" 99 "const socket = new WebSocket('wss://localhost:%d');" 100 "socket.onclose = function(event){ alert('close'); };" 101 "socket.onerror = function(event){ alert('error: ' + event.data); };" 102 "</script>", server.port()]]; 103 NSString *message = [delegate waitForMessage]; 104 105 if (clientAllowDeprecatedTLS) 106 [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey]; 107 108 return message; 109 }; 110 111 EXPECT_WK_STREQ(getWebSocketEvent(true, true), "close"); 112 NSString *message = getWebSocketEvent(false, true); 113 EXPECT_TRUE([message isEqualToString:@"error: undefined"] || [message isEqualToString:@"close"]); 114 EXPECT_WK_STREQ(getWebSocketEvent(false, false), "close"); 115 } 116 117 NSString *getWebSocketEventWebKitLegacy(bool clientAllowDeprecatedTLS, bool serverLimitTLS) 118 { 119 #if PLATFORM(IOS_FAMILY) 120 WebKitInitialize(); 121 WebThreadLock(); 122 #endif 123 Optional<uint16_t> maxServerTLSVersion; 124 if (serverLimitTLS) 125 maxServerTLSVersion = tls1_1; 126 TCPServer server(TCPServer::Protocol::HTTPS, [=](SSL *ssl) { 127 EXPECT_TRUE(!ssl == (clientAllowDeprecatedTLS != serverLimitTLS)); 128 }, maxServerTLSVersion); 129 130 if (clientAllowDeprecatedTLS) 131 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey]; 132 133 auto webView = adoptNS([WebView new]); 134 auto delegate = adoptNS([WebSocketDelegate new]); 135 [webView setUIDelegate:delegate.get()]; 136 WebCoreTestSupport::setAllowsAnySSLCertificate(true); 137 [[webView mainFrame] loadHTMLString:[NSString stringWithFormat: 138 @"<script>" 139 "const socket = new WebSocket('wss://localhost:%d');" 140 "socket.onclose = function(event){ alert('close'); };" 141 "socket.onerror = function(event){ alert('error: ' + event.data); };" 142 "</script>", server.port()] baseURL:nil]; 143 NSString *message = [delegate waitForMessage]; 144 145 if (clientAllowDeprecatedTLS) 146 [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey]; 147 148 return message; 149 } 150 151 TEST(WebKit, TLSVersionWebSocketWebKitLegacy1) 152 { 153 EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(true, true), "close"); 154 } 155 156 TEST(WebKit, TLSVersionWebSocketWebKitLegacy2) 157 { 158 #if PLATFORM(IOS_FAMILY) 159 const char* expected = "error: undefined"; 160 #else 161 const char* expected = "close"; 162 #endif 163 EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(false, true), expected); 164 } 165 166 TEST(WebKit, TLSVersionWebSocketWebKitLegacy3) 167 { 168 EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(false, false), "close"); 169 } 170 171 TEST(WebKit, TLSVersionNetworkSession) 106 TEST(TLSVersion, DefaultBehavior) 107 { 108 TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1); 109 auto delegate = adoptNS([TestNavigationDelegate new]); 110 auto webView = adoptNS([WKWebView new]); 111 [webView setNavigationDelegate:delegate.get()]; 112 [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) { 113 EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust); 114 callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); 115 }]; 116 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 117 [delegate waitForDidFinishNavigation]; 118 } 119 120 // FIXME: This test should remain disabled until rdar://problem/56522601 is fixed. 121 TEST(TLSVersion, DISABLED_NetworkSession) 172 122 { 173 123 static auto delegate = adoptNS([TestNavigationDelegate new]); … … 178 128 [webView setNavigationDelegate:delegate.get()]; 179 129 [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) { 130 EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust); 180 131 callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); 181 132 }]; … … 183 134 }; 184 135 { 185 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 186 EXPECT_FALSE(ssl); 187 }, tls1_1); 136 TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1); 188 137 auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]); 189 138 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 190 [delegate waitForDidFailProvisionalNavigation]; 191 } 192 { 193 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 194 EXPECT_FALSE(ssl); 195 }, tls1_1); 139 [delegate waitForDidFinishNavigation]; 140 } 141 { 142 TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1); 196 143 auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]); 197 144 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 198 [delegate waitForDidFailProvisionalNavigation]; 199 } 200 { 201 TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1); 145 [delegate waitForDidFinishNavigation]; 146 } 147 { 148 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 149 EXPECT_FALSE(ssl); 150 }, tls1_1); 202 151 auto configuration = adoptNS([[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration]); 203 [configuration setLegacyTLSEnabled: YES];152 [configuration setLegacyTLSEnabled:NO]; 204 153 auto dataStore = adoptNS([[WKWebsiteDataStore alloc] _initWithConfiguration:configuration.get()]); 205 154 auto webView = makeWebViewWith(dataStore.get()); 206 155 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 156 [delegate waitForDidFailProvisionalNavigation]; 157 } 158 [[NSUserDefaults standardUserDefaults] setBool:NO forKey:defaultsKey]; 159 { 160 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 161 EXPECT_FALSE(ssl); 162 }, tls1_1); 163 auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]); 164 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 165 [delegate waitForDidFailProvisionalNavigation]; 166 } 167 { 168 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 169 EXPECT_FALSE(ssl); 170 }, tls1_1); 171 auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]); 172 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 173 [delegate waitForDidFailProvisionalNavigation]; 174 } 175 [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey]; 176 } 177 178 // FIXME: This test should remain disabled until rdar://problem/56522601 is fixed. 179 TEST(TLSVersion, DISABLED_NavigationDelegateSPI) 180 { 181 { 182 auto delegate = adoptNS([TLSNavigationDelegate new]); 183 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 184 // FIXME: This is only if we have the new SPI. 185 EXPECT_FALSE(ssl); 186 }, tls1_1); 187 auto webView = adoptNS([WKWebView new]); 188 [webView setNavigationDelegate:delegate.get()]; 189 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 190 [delegate waitForDidFailProvisionalNavigation]; 191 EXPECT_TRUE([delegate receivedShouldAllowLegacyTLS]); 192 } 193 { 194 auto delegate = adoptNS([TLSNavigationDelegate new]); 195 delegate.get().shouldAllowLegacyTLS = YES; 196 TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1); 197 auto webView = adoptNS([WKWebView new]); 198 [webView setNavigationDelegate:delegate.get()]; 199 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 207 200 [delegate waitForDidFinishNavigation]; 208 } 209 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey]; 210 { 211 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 212 TCPServer::respondWithOK(ssl); 213 }, tls1_1); 214 auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]); 215 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 216 [delegate waitForDidFinishNavigation]; 217 } 218 { 219 TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) { 220 TCPServer::respondWithOK(ssl); 221 }, tls1_1); 222 auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]); 223 [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]]; 224 [delegate waitForDidFinishNavigation]; 225 } 226 [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey]; 227 } 201 EXPECT_TRUE([delegate receivedShouldAllowLegacyTLS]); 202 } 203 } 204 205 // FIXME: Add some tests for WKWebView.hasOnlySecureContent 228 206 229 207 }
Note:
See TracChangeset
for help on using the changeset viewer.