Disable legacy TLS versions and add a temporary default to re-enable it
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Aug 2019 18:13:08 +0000 (18:13 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Aug 2019 18:13:08 +0000 (18:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=200945

Patch by Alex Christensen <achristensen@webkit.org> on 2019-08-22
Reviewed by Brady Eidson.

Source/WebKit:

* NetworkProcess/NetworkSessionCreationParameters.cpp:
(WebKit::NetworkSessionCreationParameters::privateSessionParameters):
(WebKit::NetworkSessionCreationParameters::encode const):
(WebKit::NetworkSessionCreationParameters::decode):
* NetworkProcess/NetworkSessionCreationParameters.h:
* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
* UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitializeNetworkProcess):
* UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:
(WebKit::WebsiteDataStore::parameters):

Source/WTF:

* wtf/Platform.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249019 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WTF/ChangeLog
Source/WTF/wtf/Platform.h
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp
Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h
Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm

index 66a76f7..b957555 100644 (file)
@@ -1,3 +1,12 @@
+2019-08-22  Alex Christensen  <achristensen@webkit.org>
+
+        Disable legacy TLS versions and add a temporary default to re-enable it
+        https://bugs.webkit.org/show_bug.cgi?id=200945
+
+        Reviewed by Brady Eidson.
+
+        * wtf/Platform.h:
+
 2019-08-22  Darin Adler  <darin@apple.com>
 
         Rename StringBuilder functions to avoid unclear "append uninitialized" terminology
index 0a85d01..38bc6b7 100644 (file)
 #define HAVE_APP_SSO 1
 #endif
 
+#if (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000 || PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500)
+#define HAVE_TLS_PROTOCOL_VERSION_T 1
+#endif
+
 #if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000
 #define USE_UICONTEXTMENU 1
 #endif
index eb93403..822e770 100644 (file)
@@ -1,3 +1,22 @@
+2019-08-22  Alex Christensen  <achristensen@webkit.org>
+
+        Disable legacy TLS versions and add a temporary default to re-enable it
+        https://bugs.webkit.org/show_bug.cgi?id=200945
+
+        Reviewed by Brady Eidson.
+
+        * NetworkProcess/NetworkSessionCreationParameters.cpp:
+        (WebKit::NetworkSessionCreationParameters::privateSessionParameters):
+        (WebKit::NetworkSessionCreationParameters::encode const):
+        (WebKit::NetworkSessionCreationParameters::decode):
+        * NetworkProcess/NetworkSessionCreationParameters.h:
+        * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+        (WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+        * UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:
+        (WebKit::WebsiteDataStore::parameters):
+
 2019-08-17  Darin Adler  <darin@apple.com>
 
         Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends
index b29f493..ebcc6c2 100644 (file)
@@ -40,17 +40,41 @@ namespace WebKit {
 
 NetworkSessionCreationParameters NetworkSessionCreationParameters::privateSessionParameters(const PAL::SessionID& sessionID)
 {
-    return { sessionID, { }, AllowsCellularAccess::Yes
+    return {
+        sessionID
+        , { }
+        , AllowsCellularAccess::Yes
 #if PLATFORM(COCOA)
-        , { }, { }, { }, AllowsTLSFallback::Yes, false, { }, { }, { }
+        , { }
+        , { }
+        , { }
+        , AllowsTLSFallback::Yes
+        , false
+        , { }
+        , { }
+        , { }
+        , false
 #endif
 #if USE(SOUP)
-        , { }, SoupCookiePersistentStorageType::Text
+        , { }
+        , SoupCookiePersistentStorageType::Text
 #endif
 #if USE(CURL)
-        , { }, { }
+        , { }
+        , { }
 #endif
-        , { }, { }, false, false, { }, { }, { }, { }, { }, { }, { }, { }
+        , { }
+        , { }
+        , false
+        , false
+        , { }
+        , { }
+        , { }
+        , { }
+        , { }
+        , { }
+        , { }
+        , { }
     };
 }
 
@@ -68,6 +92,7 @@ void NetworkSessionCreationParameters::encode(IPC::Encoder& encoder) const
     encoder << loadThrottleLatency;
     encoder << httpProxy;
     encoder << httpsProxy;
+    encoder << enableLegacyTLS;
 #endif
 #if USE(SOUP)
     encoder << cookiePersistentStoragePath;
@@ -148,6 +173,11 @@ Optional<NetworkSessionCreationParameters> NetworkSessionCreationParameters::dec
     decoder >> httpsProxy;
     if (!httpsProxy)
         return WTF::nullopt;
+
+    Optional<bool> enableLegacyTLS;
+    decoder >> enableLegacyTLS;
+    if (!enableLegacyTLS)
+        return WTF::nullopt;
 #endif
 
 #if USE(SOUP)
@@ -247,6 +277,7 @@ Optional<NetworkSessionCreationParameters> NetworkSessionCreationParameters::dec
         , WTFMove(*loadThrottleLatency)
         , WTFMove(*httpProxy)
         , WTFMove(*httpsProxy)
+        , WTFMove(*enableLegacyTLS)
 #endif
 #if USE(SOUP)
         , WTFMove(*cookiePersistentStoragePath)
index 50be30e..6e35aa2 100644 (file)
@@ -72,6 +72,7 @@ struct NetworkSessionCreationParameters {
     Seconds loadThrottleLatency;
     URL httpProxy;
     URL httpsProxy;
+    bool enableLegacyTLS { false };
 #endif
 #if USE(SOUP)
     String cookiePersistentStoragePath;
index 34558da..95fb783 100644 (file)
@@ -940,6 +940,14 @@ NetworkSessionCocoa::NetworkSessionCocoa(NetworkProcess& networkProcess, Network
 
     NSURLSessionConfiguration *configuration = configurationForSessionID(m_sessionID);
 
+    if (!parameters.enableLegacyTLS) {
+#if HAVE(TLS_PROTOCOL_VERSION_T)
+        configuration.TLSMinimumSupportedProtocolVersion = tls_protocol_version_TLSv12;
+#else
+        configuration.TLSMinimumSupportedProtocol = kTLSProtocol12;
+#endif
+    }
+
 #if HAVE(APP_SSO)
     configuration._preventsAppSSO = true;
 #endif
index e5e32d2..9fd6a61 100644 (file)
@@ -281,6 +281,8 @@ void WebProcessPool::platformInitializeNetworkProcess(NetworkProcessCreationPara
         }
     }
 
+    parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = [defaults boolForKey:@"WebKitEnableLegacyTLS"];
+
     parameters.networkATSContext = adoptCF(_CFNetworkCopyATSContext());
 
 #if PLATFORM(IOS_FAMILY)
index a0544d0..6ce2830 100644 (file)
@@ -69,6 +69,7 @@ WebsiteDataStoreParameters WebsiteDataStore::parameters()
     bool enableResourceLoadStatisticsDebugMode = false;
     bool enableResourceLoadStatisticsNSURLSessionSwitching = WebCore::RuntimeEnabledFeatures::sharedFeatures().isITPSessionSwitchingEnabled();
     WebCore::RegistrableDomain resourceLoadStatisticsManualPrevalentResource { };
+    bool enableLegacyTLS = [defaults boolForKey:@"WebKitEnableLegacyTLS"];
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
     enableResourceLoadStatisticsDebugMode = [defaults boolForKey:@"ITPDebugMode"];
     auto* manualPrevalentResource = [defaults stringForKey:@"ITPManualPrevalentResource"];
@@ -128,6 +129,7 @@ WebsiteDataStoreParameters WebsiteDataStore::parameters()
         Seconds { [defaults integerForKey:WebKitNetworkLoadThrottleLatencyMillisecondsDefaultsKey] / 1000. },
         WTFMove(httpProxy),
         WTFMove(httpsProxy),
+        enableLegacyTLS,
         WTFMove(resourceLoadStatisticsDirectory),
         WTFMove(resourceLoadStatisticsDirectoryHandle),
         false,