From 14d8add7ca9be51dab0ebb46fd3edabd63d06739 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Mon, 19 Mar 2018 20:35:28 -0700
Subject: [PATCH] #334, closes #489: enable
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for amtrak.com

---
 netwerk/base/security-prefs.js          |  1 +
 security/manager/ssl/nsNSSCallbacks.cpp | 11 +++++++++++
 security/manager/ssl/nsNSSComponent.cpp |  3 +++
 3 files changed, 15 insertions(+)

diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
index fc471396a..8da51b905 100644
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -19,6 +19,7 @@ pref("security.ssl.enable_alpn", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
+pref("security.ssl3.ecdhe_rsa_aes_128_sha256", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
 pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
index 6fb8e3080..ab9a788ba 100644
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -30,8 +30,10 @@ using namespace mozilla::psm;
 
 extern PRLogModuleInfo* gPIPNSSLog;
 
+#if (0) // TenFourFox issue 334
 static void AccumulateCipherSuite(Telemetry::ID probe,
                                   const SSLChannelInfo& channelInfo);
+#endif
 
 namespace {
 
@@ -1027,6 +1029,7 @@ CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart)
   return SECSuccess;
 }
 
+#if(0) // TenFourFox issue 334
 static void
 AccumulateNonECCKeySize(Telemetry::ID probe, uint32_t bits)
 {
@@ -1076,6 +1079,7 @@ AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
     case TLS_ECDHE_RSA_WITH_RC4_128_SHA: value = 8; break;
     case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: value = 9; break;
     case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 10; break;
+    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: value = 11; break; // just in case, issue 489
     // DHE key exchange
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: value = 21; break;
     case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 22; break;
@@ -1114,6 +1118,7 @@ AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
   MOZ_ASSERT(value != 0);
   Telemetry::Accumulate(probe, value);
 }
+#endif
 
 void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   nsNSSShutDownPreventionLock locker;
@@ -1146,6 +1151,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
   MOZ_ASSERT(rv == SECSuccess);
   if (rv == SECSuccess) {
+#if(0) // TenFourFox issue 334
     // Get the protocol version for telemetry
     // 1=tls1, 2=tls1.1, 3=tls1.2
     unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
@@ -1155,6 +1161,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
       infoObject->IsFullHandshake() ? Telemetry::SSL_CIPHER_SUITE_FULL
                                     : Telemetry::SSL_CIPHER_SUITE_RESUMED,
       channelInfo);
+#endif
 
     SSLCipherSuiteInfo cipherInfo;
     rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
@@ -1163,17 +1170,20 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
     if (rv == SECSuccess) {
       usesWeakCipher = cipherInfo.symCipher == ssl_calg_rc4;
 
+#if(0)
       // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
       Telemetry::Accumulate(
         infoObject->IsFullHandshake()
           ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL
           : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED,
         cipherInfo.keaType);
+#endif
 
       DebugOnly<int16_t> KEAUsed;
       MOZ_ASSERT(NS_SUCCEEDED(infoObject->GetKEAUsed(&KEAUsed)) &&
                  (KEAUsed == cipherInfo.keaType));
 
+#if(0)
       if (infoObject->IsFullHandshake()) {
         switch (cipherInfo.keaType) {
           case ssl_kea_rsa:
@@ -1223,6 +1233,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
             ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
             : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
           cipherInfo.symCipher);
+#endif
     }
   }
 
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 135af10dc..21a5c3153 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -623,6 +623,9 @@ static const CipherPref sCipherPrefs[] = {
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, true },
  { "security.ssl3.ecdhe_ecdsa_aes_128_sha",
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, true },
+ // stopgap for TenFourFox issue 489 pending ChaCha20/Poly1305 implementation
+ { "security.ssl3.ecdhe_rsa_aes_128_sha256",
+   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, true },
 
  { "security.ssl3.ecdhe_rsa_aes_256_sha",
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, true },