diff --git a/browser/installer/Makefile.in b/browser/installer/Makefile.in index 7b0de1a5fcaa..07035b61986a 100644 --- a/browser/installer/Makefile.in +++ b/browser/installer/Makefile.in @@ -45,10 +45,6 @@ ifdef MOZ_SYSTEM_NSS DEFINES += -DMOZ_SYSTEM_NSS=1 endif -ifdef NSS_DISABLE_DBM -DEFINES += -DNSS_DISABLE_DBM=1 -endif - ifdef MOZ_ARTIFACT_BUILDS DEFINES += -DMOZ_ARTIFACT_BUILDS=1 endif diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in index 92ae9f605273..71682f916f10 100644 --- a/browser/installer/package-manifest.in +++ b/browser/installer/package-manifest.in @@ -361,9 +361,6 @@ bin/libfreebl_64int_3.so #endif @BINPATH@/@DLL_PREFIX@nss3@DLL_SUFFIX@ @BINPATH@/@DLL_PREFIX@nssckbi@DLL_SUFFIX@ -#ifndef NSS_DISABLE_DBM -@BINPATH@/@DLL_PREFIX@nssdbm3@DLL_SUFFIX@ -#endif #ifndef MOZ_FOLD_LIBS @BINPATH@/@DLL_PREFIX@nssutil3@DLL_SUFFIX@ @BINPATH@/@DLL_PREFIX@smime3@DLL_SUFFIX@ diff --git a/mobile/android/installer/Makefile.in b/mobile/android/installer/Makefile.in index 9bc09b3d92cf..7fa67fa90a2b 100644 --- a/mobile/android/installer/Makefile.in +++ b/mobile/android/installer/Makefile.in @@ -30,10 +30,6 @@ DEFINES += \ -DANDROID_CPU_ARCH=$(ANDROID_CPU_ARCH) \ $(NULL) -ifdef NSS_DISABLE_DBM -DEFINES += -DNSS_DISABLE_DBM=1 -endif - ifdef MOZ_DEBUG DEFINES += -DMOZ_DEBUG=1 endif diff --git a/mobile/android/installer/package-manifest.in b/mobile/android/installer/package-manifest.in index fcd936b8f77d..00c387cefe93 100644 --- a/mobile/android/installer/package-manifest.in +++ b/mobile/android/installer/package-manifest.in @@ -71,12 +71,6 @@ @BINPATH@/@DLL_PREFIX@freebl3.chk @BINPATH@/@DLL_PREFIX@softokn3.chk #endif -#ifndef NSS_DISABLE_DBM -@BINPATH@/@DLL_PREFIX@nssdbm3@DLL_SUFFIX@ -#ifndef CROSS_COMPILE -@BINPATH@/@DLL_PREFIX@nssdbm3.chk -#endif -#endif #ifndef MOZ_FOLD_LIBS @BINPATH@/@DLL_PREFIX@mozsqlite3@DLL_SUFFIX@ diff --git a/modules/libmar/tests/unit/data/cert8.db b/modules/libmar/tests/unit/data/cert8.db deleted file mode 100644 index d1ed9300dbd0..000000000000 Binary files a/modules/libmar/tests/unit/data/cert8.db and /dev/null differ diff --git a/modules/libmar/tests/unit/data/cert9.db b/modules/libmar/tests/unit/data/cert9.db new file mode 100644 index 000000000000..e0d6191e64c4 Binary files /dev/null and b/modules/libmar/tests/unit/data/cert9.db differ diff --git a/modules/libmar/tests/unit/data/key3.db b/modules/libmar/tests/unit/data/key3.db deleted file mode 100644 index baa9fe40c160..000000000000 Binary files a/modules/libmar/tests/unit/data/key3.db and /dev/null differ diff --git a/modules/libmar/tests/unit/data/key4.db b/modules/libmar/tests/unit/data/key4.db new file mode 100644 index 000000000000..85c9c5a21533 Binary files /dev/null and b/modules/libmar/tests/unit/data/key4.db differ diff --git a/modules/libmar/tests/unit/data/secmod.db b/modules/libmar/tests/unit/data/secmod.db deleted file mode 100644 index 3378adb02259..000000000000 Binary files a/modules/libmar/tests/unit/data/secmod.db and /dev/null differ diff --git a/python/mozbuild/mozbuild/artifacts.py b/python/mozbuild/mozbuild/artifacts.py index d869b12800fb..41aa20052054 100644 --- a/python/mozbuild/mozbuild/artifacts.py +++ b/python/mozbuild/mozbuild/artifacts.py @@ -470,7 +470,6 @@ class MacArtifactJob(ArtifactJob): 'libmozglue.dylib', 'libnss3.dylib', 'libnssckbi.dylib', - 'libnssdbm3.dylib', 'libplugin_child_interpose.dylib', # 'libreplace_jemalloc.dylib', # 'libreplace_malloc.dylib', diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build index f534ac8ac2e6..e2b04f67f39a 100644 --- a/security/manager/ssl/moz.build +++ b/security/manager/ssl/moz.build @@ -228,9 +228,6 @@ GeneratedFile('nsSTSPreloadList.h', script='../../../xpcom/ds/tools/make_dafsa.py', inputs=['nsSTSPreloadList.inc']) -if CONFIG['NSS_DISABLE_DBM']: - DEFINES['NSS_DISABLE_DBM'] = '1' - DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True' DEFINES['NSS_ENABLE_ECC'] = 'True' diff --git a/security/manager/ssl/tests/unit/test_broken_fips.js b/security/manager/ssl/tests/unit/test_broken_fips.js index 9e51bfd9316d..5c90c64173b5 100644 --- a/security/manager/ssl/tests/unit/test_broken_fips.js +++ b/security/manager/ssl/tests/unit/test_broken_fips.js @@ -8,19 +8,19 @@ // Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was // in FIPS mode, Firefox can still make use of keys in the key database. // secomd.db can be created via `certutil -N -d `. Putting it in FIPS mode -// involves running `modutil -fips true -dbdir `. key3.db is from -// test_sdr_preexisting/key3.db. +// involves running `modutil -fips true -dbdir `. key4.db is from +// test_sdr_preexisting/key4.db. function run_test() { let profile = do_get_profile(); - let keyDBName = "key3.db"; + let keyDBName = "key4.db"; let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`); keyDBFile.copyTo(profile, keyDBName); - let secmodDBName = "secmod.db"; - let secmodDBFile = do_get_file(`test_broken_fips/${secmodDBName}`); - secmodDBFile.copyTo(profile, secmodDBName); + let pkcs11modDBName = "pkcs11.txt"; + let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`); + pkcs11modDBFile.copyTo(profile, pkcs11modDBName); let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( Ci.nsIPKCS11ModuleDB @@ -41,7 +41,10 @@ function run_test() { "decrypted ciphertext should match expected plaintext" ); - let secmodDBFileFIPS = do_get_profile(); - secmodDBFileFIPS.append(`${secmodDBName}.fips`); - ok(secmodDBFileFIPS.exists(), "backed-up PKCS#11 module db should now exist"); + let pkcs11modDBFileFIPS = do_get_profile(); + pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`); + ok( + pkcs11modDBFileFIPS.exists(), + "backed-up PKCS#11 module db should now exist" + ); } diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key3.db b/security/manager/ssl/tests/unit/test_broken_fips/key3.db deleted file mode 100644 index b81b629dfa07..000000000000 Binary files a/security/manager/ssl/tests/unit/test_broken_fips/key3.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key4.db b/security/manager/ssl/tests/unit/test_broken_fips/key4.db new file mode 100644 index 000000000000..8f320dfdbd26 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_broken_fips/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt new file mode 100644 index 000000000000..78a11f5fa75f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal FIPS PKCS #11 Module +parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] } Flags=internal,FIPS,critical + diff --git a/security/manager/ssl/tests/unit/test_broken_fips/secmod.db b/security/manager/ssl/tests/unit/test_broken_fips/secmod.db deleted file mode 100644 index c9245b748296..000000000000 Binary files a/security/manager/ssl/tests/unit/test_broken_fips/secmod.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js index 55c499e66c26..f14f465cde0e 100644 --- a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js +++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js @@ -17,9 +17,7 @@ // `certutil -d . -A -n "Let's Encrypt Authority X1" -t ,, -a \ // -i LetsEncrypt.pem` // -// This should create cert8.db and key3.db files for use on non-Android -// platforms. Perform the same steps with "sql:." as the argument to the "-d" -// flag to create cert9.db and key4.db for use with Android. +// This should create the cert9.db and key4.db files. // // (The crucial property of the first certificate is that it is a built-in trust // anchor, so any replacement must also have this property. The second @@ -77,9 +75,8 @@ "use strict"; function run_test() { - const isAndroid = AppConstants.platform == "android"; - const certDBName = isAndroid ? "cert9.db" : "cert8.db"; - const keyDBName = isAndroid ? "key4.db" : "key3.db"; + const certDBName = "cert9.db"; + const keyDBName = "key4.db"; let profile = do_get_profile(); let certDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${certDBName}`); certDBFile.copyTo(profile, certDBName); diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert8.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert8.db deleted file mode 100644 index 87abcf35a3e0..000000000000 Binary files a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert8.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key3.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key3.db deleted file mode 100644 index 37241a7437ab..000000000000 Binary files a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key3.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting.js b/security/manager/ssl/tests/unit/test_sdr_preexisting.js index 5f125c15c98f..69b5c194df72 100644 --- a/security/manager/ssl/tests/unit/test_sdr_preexisting.js +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting.js @@ -9,171 +9,11 @@ // a preexisting NSS key database. Creating the database is straight-forward: // simply run Firefox (or xpcshell) and encrypt something using // nsISecretDecoderRing (e.g. by saving a password or directly using the -// interface). The resulting key3.db file (in the profile directory) now +// interface). The resulting key4.db file (in the profile directory) now // contains the private key used to encrypt the data. -// "Upgrading" a key3.db with certutil to use on Android appears not to work. -// Because the keys have to be the same for this test to work the way it does, -// the key from key3.db must be extracted and added to a new key4.db. This can -// be done with NSS' PK11_* APIs like so (although note that the following code -// is not guaranteed to compile or work, but is more of a guideline for how to -// do this in the future if necessary): -// -// #include -// -// #include "nss.h" -// #include "pk11pub.h" -// #include "prerror.h" -// #include "secerr.h" -// -// void printPRError(const char* message) { -// fprintf(stderr, "%s: %s\n", message, PR_ErrorToString(PR_GetError(), 0)); -// } -// -// int main(int argc, char* argv[]) { -// if (NSS_Initialize(".", "", "", "", NSS_INIT_NOMODDB | NSS_INIT_NOROOTINIT) -// != SECSuccess) { -// printPRError("NSS_Initialize failed"); -// return 1; -// } -// -// PK11SlotInfo* slot = PK11_GetInternalKeySlot(); -// if (!slot) { -// printPRError("PK11_GetInternalKeySlot failed"); -// return 1; -// } -// -// // Create a key to wrap the SDR key to export it. -// unsigned char wrappingKeyIDBytes[] = { 0 }; -// SECItem wrappingKeyID = { -// siBuffer, -// wrappingKeyIDBytes, -// sizeof(wrappingKeyIDBytes) -// }; -// PK11SymKey* wrappingKey = PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, -// &wrappingKeyID, PR_FALSE, NULL); -// if (!wrappingKey) { -// printPRError("PK11_TokenKeyGen failed"); -// return 1; -// } -// -// // This is the magic identifier NSS uses for the SDR key. -// unsigned char sdrKeyIDBytes[] = { -// 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 -// }; -// SECItem sdrKeyID = { siBuffer, sdrKeyIDBytes, sizeof(sdrKeyIDBytes) }; -// PK11SymKey* sdrKey = PK11_FindFixedKey(slot, CKM_DES3_CBC, &sdrKeyID, -// NULL); -// if (!sdrKey) { -// printPRError("PK11_FindFixedKey failed"); -// return 1; -// } -// -// // Wrap the SDR key. -// unsigned char wrappedKeyBuf[1024]; -// SECItem wrapped = { siBuffer, wrappedKeyBuf, sizeof(wrappedKeyBuf) }; -// if (PK11_WrapSymKey(CKM_DES3_ECB, NULL, wrappingKey, sdrKey, &wrapped) -// != SECSuccess) { -// printPRError("PK11_WrapSymKey failed"); -// return 1; -// } -// -// // Unwrap the SDR key (NSS considers the SDR key "sensitive" and so won't -// // just export it as raw key material - we have to export it and then -// // re-import it as non-sensitive to get that data. -// PK11SymKey* unwrapped = PK11_UnwrapSymKey(wrappingKey, CKM_DES3_ECB, NULL, -// &wrapped, CKM_DES3_CBC, -// CKA_ENCRYPT, 0); -// if (!unwrapped) { -// printPRError("PK11_UnwrapSymKey failed"); -// return 1; -// } -// if (PK11_ExtractKeyValue(unwrapped) != SECSuccess) { -// printPRError("PK11_ExtractKeyValue failed"); -// return 1; -// } -// SECItem* keyData = PK11_GetKeyData(unwrapped); -// if (!keyData) { -// printPRError("PK11_GetKeyData failed"); -// return 1; -// } -// for (int i = 0; i < keyData->len; i++) { -// printf("0x%02hhx, ", keyData->data[i]); -// } -// printf("\n"); -// -// PK11_FreeSymKey(unwrapped); -// PK11_FreeSymKey(sdrKey); -// PK11_FreeSymKey(wrappingKey); -// PK11_FreeSlot(slot); -// -// if (NSS_Shutdown() != SECSuccess) { -// printPRError("NSS_Shutdown failed"); -// return 1; -// } -// return 0; -// } -// -// The output of compiling and running the above should be the bytes of the SDR -// key. Given that, create a key4.db with an empty password using -// `certutil -N -d sql:.` and then compile and run the following: -// -// #include -// -// #include "nss.h" -// #include "pk11pub.h" -// #include "prerror.h" -// #include "secerr.h" -// #include "secmod.h" -// -// void printPRError(const char* message) { -// fprintf(stderr, "%s: %s\n", message, PR_ErrorToString(PR_GetError(), 0)); -// } -// -// int main(int argc, char* argv[]) { -// if (NSS_Initialize("sql:.", "", "", "", -// NSS_INIT_NOMODDB | NSS_INIT_NOROOTINIT) != SECSuccess) { -// printPRError("NSS_Initialize failed"); -// return 1; -// } -// -// PK11SlotInfo* slot = PK11_GetInternalKeySlot(); -// if (!slot) { -// printPRError("PK11_GetInternalKeySlot failed"); -// return 1; -// } -// -// // These are the bytes of the SDR key from the previous step: -// unsigned char keyBytes[] = { -// 0x70, 0xab, 0xea, 0x1f, 0x8f, 0xe3, 0x4a, 0x7a, 0xb5, 0xb0, 0x43, 0xe5, -// 0x51, 0x83, 0x86, 0xe5, 0xb3, 0x43, 0xa8, 0x1f, 0xc1, 0x57, 0x86, 0x46 -// }; -// SECItem keyItem = { siBuffer, keyBytes, sizeof(keyBytes) }; -// PK11SymKey* key = PK11_ImportSymKey(slot, CKM_DES3_CBC, PK11_OriginUnwrap, -// CKA_ENCRYPT, &keyItem, NULL); -// if (!key) { -// printPRError("PK11_ImportSymKey failed"); -// return 1; -// } -// -// PK11_FreeSymKey(key); -// PK11_FreeSlot(slot); -// -// if (NSS_Shutdown() != SECSuccess) { -// printPRError("NSS_Shutdown failed"); -// return 1; -// } -// return 0; -// } -// -// This should create a key4.db file with the SDR key. (Note however that this -// does not set the magic key ID for the SDR key. Currently this is not a -// problem because the NSS implementation that backs the SDR simply tries all -// applicable keys it has when decrypting, so this still works.) function run_test() { - const isAndroid = AppConstants.platform == "android"; - const keyDBName = isAndroid ? "key4.db" : "key3.db"; + const keyDBName = "key4.db"; let profile = do_get_profile(); let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`); keyDBFile.copyTo(profile, keyDBName); diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key3.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key3.db deleted file mode 100644 index b81b629dfa07..000000000000 Binary files a/security/manager/ssl/tests/unit/test_sdr_preexisting/key3.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db index ba1c88ae8de5..8f320dfdbd26 100644 Binary files a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db and b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js index 58695c4bbbe6..0661c85412e6 100644 --- a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js @@ -58,8 +58,8 @@ function run_test() { }); let profile = do_get_profile(); - let keyDBFile = do_get_file("test_sdr_preexisting_with_password/key3.db"); - keyDBFile.copyTo(profile, "key3.db"); + let keyDBFile = do_get_file("test_sdr_preexisting_with_password/key4.db"); + keyDBFile.copyTo(profile, "key4.db"); let sdr = Cc["@mozilla.org/security/sdr;1"].getService( Ci.nsISecretDecoderRing diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key3.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key3.db deleted file mode 100644 index cac0808ac32c..000000000000 Binary files a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key3.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db new file mode 100644 index 000000000000..959718da343e Binary files /dev/null and b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password.js b/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password.js deleted file mode 100644 index afa3c1bb2843..000000000000 --- a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password.js +++ /dev/null @@ -1,149 +0,0 @@ -// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -"use strict"; - -// Tests that the SDR implementation is able to decrypt strings encrypted using -// a preexisting NSS key database that a) has a password and b) has already been -// upgraded from the old dbm format in a previous run of Firefox. -// To create such a database, run the xpcshell test -// `test_sdr_preexisting_with_password.js` and locate the file `key4.db` created -// in the xpcshell test profile directory. -// This does not apply to Android as the dbm implementation was never enabled on -// that platform. - -var gMockPrompter = { - passwordToTry: "password", - numPrompts: 0, - - // This intentionally does not use arrow function syntax to avoid an issue - // where in the context of the arrow function, |this != gMockPrompter| due to - // how objects get wrapped when going across xpcom boundaries. - promptPassword(dialogTitle, text, password, checkMsg, checkValue) { - this.numPrompts++; - if (this.numPrompts > 1) { - // don't keep retrying a bad password - return false; - } - equal( - text, - "Please enter your master password.", - "password prompt text should be as expected" - ); - equal(checkMsg, null, "checkMsg should be null"); - ok(this.passwordToTry, "passwordToTry should be non-null"); - password.value = this.passwordToTry; - return true; - }, - - QueryInterface: ChromeUtils.generateQI([Ci.nsIPrompt]), -}; - -// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt -// to call promptPassword. We return the mock one, above. -var gWindowWatcher = { - getNewPrompter: () => gMockPrompter, - QueryInterface: ChromeUtils.generateQI([Ci.nsIWindowWatcher]), -}; - -function run_test() { - let windowWatcherCID = MockRegistrar.register( - "@mozilla.org/embedcomp/window-watcher;1", - gWindowWatcher - ); - registerCleanupFunction(() => { - MockRegistrar.unregister(windowWatcherCID); - }); - - let profile = do_get_profile(); - let key3DBFile = do_get_file("test_sdr_upgraded_with_password/key3.db"); - key3DBFile.copyTo(profile, "key3.db"); - let key4DBFile = do_get_file("test_sdr_upgraded_with_password/key4.db"); - key4DBFile.copyTo(profile, "key4.db"); - // Unfortunately we have to also copy the certificate databases as well. - // Otherwise, NSS will think it has to create them, which will cause NSS to - // think it has to also do a migration, which will open key3.db and not close - // it until shutdown, which means that on Windows removing the file just after - // startup fails. Luckily users profiles will have both key and certificate - // databases anyway, so this is an accurate reflection of normal use. - let cert8DBFile = do_get_file("test_sdr_upgraded_with_password/cert8.db"); - cert8DBFile.copyTo(profile, "cert8.db"); - let cert9DBFile = do_get_file("test_sdr_upgraded_with_password/cert9.db"); - cert9DBFile.copyTo(profile, "cert9.db"); - - let sdr = Cc["@mozilla.org/security/sdr;1"].getService( - Ci.nsISecretDecoderRing - ); - - let testcases = [ - // a full padding block - { - ciphertext: - "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d", - plaintext: "password", - }, - // 7 bytes of padding - { - ciphertext: - "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==", - plaintext: "a", - }, - // 6 bytes of padding - { - ciphertext: - "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==", - plaintext: "bb", - }, - // 1 byte of padding - { - ciphertext: - "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==", - plaintext: "!seven!", - }, - // 2 bytes of padding - { - ciphertext: - "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==", - plaintext: "sixsix", - }, - // long plaintext requiring more than two blocks - { - ciphertext: - "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", - plaintext: "thisismuchlongerandsotakesupmultipleblocks", - }, - // this differs from the previous ciphertext by one bit and demonstrates - // that this implementation does not enforce message integrity - { - ciphertext: - "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", - plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks", - }, - ]; - - for (let testcase of testcases) { - let decrypted = sdr.decryptString(testcase.ciphertext); - equal( - decrypted, - testcase.plaintext, - "decrypted ciphertext should match expected plaintext" - ); - } - equal( - gMockPrompter.numPrompts, - 1, - "Should have been prompted for a password once" - ); - - // NSS does not close the old database when performing an upgrade. Thus, on - // Windows, we can't delete the old database file on the run that we perform - // an upgrade. However, we can delete it on subsequent runs. - let key3DBInProfile = do_get_profile(); - key3DBInProfile.append("key3.db"); - ok( - !key3DBInProfile.exists(), - "key3.db should not exist after running with key4.db with a password" - ); -} diff --git a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/cert8.db b/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/cert8.db deleted file mode 100644 index ac40a3325724..000000000000 Binary files a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/cert8.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/cert9.db b/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/cert9.db deleted file mode 100644 index 163d07a6f325..000000000000 Binary files a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/cert9.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/key3.db b/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/key3.db deleted file mode 100644 index cac0808ac32c..000000000000 Binary files a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/key3.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/key4.db deleted file mode 100644 index 8c853543cc3e..000000000000 Binary files a/security/manager/ssl/tests/unit/test_sdr_upgraded_with_password/key4.db and /dev/null differ diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini index cbc96463e039..198bfb7d4768 100644 --- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -39,7 +39,6 @@ support-files = test_sanctions/** test_sdr_preexisting/** test_sdr_preexisting_with_password/** - test_sdr_upgraded_with_password/** test_self_signed_certs/** test_signed_apps/** test_startcom_wosign/** @@ -190,10 +189,9 @@ run-sequentially = hardcoded ports run-sequentially = hardcoded ports [test_sdr.js] [test_sdr_preexisting.js] -[test_sdr_preexisting_with_password.js] # Not relevant to Android. See the comment in the test. skip-if = toolkit == 'android' -[test_sdr_upgraded_with_password.js] +[test_sdr_preexisting_with_password.js] # Not relevant to Android. See the comment in the test. skip-if = toolkit == 'android' [test_self_signed_certs.js] diff --git a/security/moz.build b/security/moz.build index 65c1c1a64c81..1f1112a8ce43 100644 --- a/security/moz.build +++ b/security/moz.build @@ -83,8 +83,7 @@ gyp_vars['nss_public_dist_dir'] = '$PRODUCT_DIR/dist' gyp_vars['nss_dist_obj_dir'] = '$PRODUCT_DIR/dist/bin' # We don't currently build NSS tests. gyp_vars['disable_tests'] = 1 -if CONFIG['NSS_DISABLE_DBM']: - gyp_vars['disable_dbm'] = 1 +gyp_vars['disable_dbm'] = 1 gyp_vars['disable_libpkix'] = 1 gyp_vars['enable_sslkeylogfile'] = 1 # pkg-config won't reliably find zlib on our builders, so just force it. diff --git a/toolkit/components/passwordmgr/test/unit/data/key3.db b/toolkit/components/passwordmgr/test/unit/data/key3.db deleted file mode 100644 index a83a0a577b0e..000000000000 Binary files a/toolkit/components/passwordmgr/test/unit/data/key3.db and /dev/null differ diff --git a/toolkit/components/passwordmgr/test/unit/head.js b/toolkit/components/passwordmgr/test/unit/head.js index a30378f4192a..ee88e8db1416 100644 --- a/toolkit/components/passwordmgr/test/unit/head.js +++ b/toolkit/components/passwordmgr/test/unit/head.js @@ -80,8 +80,7 @@ add_task(async function test_common_initialize() { // Before initializing the service for the first time, we should copy the key // file required to decrypt the logins contained in the SQLite databases used // by migration tests. This file is not required for the other tests. - const isAndroid = AppConstants.platform == "android"; - const keyDBName = isAndroid ? "key4.db" : "key3.db"; + const keyDBName = "key4.db"; await OS.File.copy( do_get_file(`data/${keyDBName}`).path, OS.Path.join(OS.Constants.Path.profileDir, keyDBName) diff --git a/toolkit/moz.build b/toolkit/moz.build index b81711808396..1b7ad052f51e 100644 --- a/toolkit/moz.build +++ b/toolkit/moz.build @@ -67,9 +67,6 @@ with Files('moz.*'): with Files('toolkit.mozbuild'): BUG_COMPONENT = ('Firefox Build System', 'General') -with Files('nss.configure'): - BUG_COMPONENT = ('Firefox Build System', 'General') - with Files('library/**'): BUG_COMPONENT = ('Firefox Build System', 'General') diff --git a/toolkit/moz.configure b/toolkit/moz.configure index 0a630ccb819a..1ece0f90b103 100644 --- a/toolkit/moz.configure +++ b/toolkit/moz.configure @@ -815,8 +815,6 @@ option('--enable-ipdl-tests', help='Enable expensive IPDL tests') set_config('MOZ_IPDL_TESTS', depends_if('--enable-ipdl-tests')(lambda _: True)) -include('nss.configure') - # Graphics # ============================================================== option('--disable-skia', help='Disable use of Skia') diff --git a/toolkit/nss.configure b/toolkit/nss.configure deleted file mode 100644 index 6dc6fc36cb34..000000000000 --- a/toolkit/nss.configure +++ /dev/null @@ -1,17 +0,0 @@ -# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- -# vim: set filetype=python: -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -# DBM support in NSS -# ============================================================== -@depends(build_project) -def dbm_default(build_project): - return build_project != 'mobile/android' - -option('--enable-dbm', default=dbm_default, - help='{Enable|Disable} building DBM') - -set_config('NSS_DISABLE_DBM', depends('--enable-dbm')(lambda x: not x))