Brian Smith
0cd5238974
Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
...
--HG--
extra : rebase_source : 926f091b2a361d7dce30bee918d6659259f1b3e4
2014-12-11 23:22:35 -08:00
David Keeler
c3ba2c1217
bug 1108408 - GeneralName types such as otherName where the value is a SEQUENCE should have the CONSTRUCTED bit set r=briansmith
2014-12-08 13:39:19 -08:00
Monica Chew
63de38c180
Bug 1101969: Disable pinning on media.mozilla.com (r=keeler)
2014-12-12 09:10:57 -08:00
Monica Chew
04d69a9f5b
Bug 1004781: Enable pinning for facebook in production mode (r=keeler)
2014-12-12 09:10:53 -08:00
Brian Smith
7f05080219
Bug 940787: Stop requiring ALPN/NPN for False Start, r=keeler
...
--HG--
extra : rebase_source : f8946e1fc631f2458807a559104a1dca01f444ac
2014-12-10 10:50:48 -08:00
Brian Smith
cc0b0eeed3
Bug 1109766: Require AES-GCM for TLS False Start, r=keeler
...
--HG--
extra : rebase_source : 8370c628863e644131ed1fbe6b8e49b5dc1215dc
2014-12-10 10:19:00 -08:00
Brian Smith
9c1c9d03e6
Bug 861310: Require TLS 1.2 for TLS False Start, r=keeler
...
--HG--
extra : rebase_source : d4bb253a84270c84acdf7ed4f84bc0186231e521
2014-12-10 10:04:45 -08:00
Cykesiopka
9cae71d8a9
Bug 1109252 - Make remaining PSM test cert generation scripts print out cert information as necessary. r=keeler
2014-12-10 21:32:00 +01:00
Jed Davis
344f6abf7b
Bug 1093334 - Delete unnecessary copies of Chromium headers in security/sandbox/linux. r=kang
2014-12-10 17:26:12 -08:00
Jed Davis
c2384cf7c7
Bug 1093334 - Adjust includes of Linux sandboxing headers from Chromium. r=kang
...
Also re-sorts some of the includes into something closer to the style guide.
2014-12-10 17:26:12 -08:00
Jed Davis
30e88baa98
Bug 1093334 - Import more headers from Chromium rev 9522fad406dd161400daa518075828e47bd47f60. r=kang
2014-12-10 17:26:12 -08:00
Jed Davis
30ba635db0
Bug 1102209 - Remove use of CodeGen::JoinInstructions in the Linux sandboxing code. r=kang
...
This reorganizes SandboxAssembler to stack up the policy rules and
traverse them in reverse order to build the filter DAG from tail to head
(i.e., starting with "deny all" and prepending allow and return-errno
rules). Thus, this code will continue to work (perhaps with minor
changes, such as to the NodePtr typedef) with future versions of the
Chromium sandbox code that don't allow mutating the filter program with
the JoinInstructions method.
2014-12-10 17:26:12 -08:00
Jed Davis
114cf4fb41
Bug 1108759 - Fix B2G no-optimization builds. r=glandium
2014-12-10 16:17:47 -08:00
Cykesiopka
7e1828ba3d
Bug 1109245 - Modify test_keysize_ev.js to run on B2G. r=dkeeler
2014-12-09 12:07:00 -05:00
Cykesiopka
6df9a55b46
Bug 978426 - Re-enable test_sts_preloadlist_perwindowpb.js on B2G. r=dkeeler
2014-12-09 11:37:00 +01:00
Brian Smith
346599ec9c
Bug 1107791 Remove support for unusual wildcard names in certificates, r=keeler
...
--HG--
extra : rebase_source : bd142d2e85059a0d0fd36325242553e94a7d4377
2014-12-04 17:12:09 -08:00
Brian Smith
bd9d21676a
Bug 1107790: Remove support for absolute hostnames in presented DNS IDs and name constraints, r=keeler
...
--HG--
extra : rebase_source : cf402f902196e729026d713cd6d62f5c3b889a12
2014-12-08 16:42:54 -08:00
Brian Smith
81f8d7a489
Bug 1107787: Disable TLS_DHE_DSS_WITH_AES_128_CBC_SHA, r=keeler
...
--HG--
extra : rebase_source : 063d859c69adc8deba9d1842f4bd42a9b862bbe5
2014-12-04 19:50:58 -08:00
Brian Smith
5bd7eba3e4
Bug 1037098
: Remove preferences for cipher suites disabled in bug 1036765, r=keeler
...
--HG--
extra : rebase_source : b033bea062c8cafecd93830fa54f4cf184fa28df
2014-12-04 19:47:17 -08:00
Brian Smith
01259ceda5
Bug 1107946: Fixed unused variable warnings in pkixnames_tests.cpp, r=keeler
...
--HG--
extra : rebase_source : 23d20e91c8b408363acab7c6d4d67a86d2293dff
2014-12-05 12:14:49 -08:00
Ryan VanderMeulen
1bdab6fe7b
Backed out changesets fb903f13f215, 9c5c712698e4, and 36d257ead3da (bug 1092835) for causing test_csp_allow_https_schemes.html permafail on Android 2.3.
...
CLOSED TREE
2014-12-09 14:00:47 -05:00
Masatoshi Kimura
487b1516b0
Bug 1092835 - Log usage of weak ciphers in the console. r=keeler,mcmanus
2014-12-10 00:54:06 +09:00
Masatoshi Kimura
5167dadd93
Bug 1093724 - Add a range check to the TLS version prefs loading code. r=keeler
2014-12-09 21:48:29 +09:00
Masatoshi Kimura
b95c85162f
Bug 1084025 - Add telemetry to measure failures due to not falling back. r=keeler
2014-12-09 07:19:05 +09:00
Ryan VanderMeulen
529edd40b5
Merge inbound to m-c. a=merge
2014-12-08 15:46:14 -05:00
Jay Wang
56bf9455a1
Bug 1105452 - Need to use new Audio system APIs for audio offload playback. r=roc, r=jld, r=ggrisco
...
Resolve the build failure caused by API changes
There are some changes in Audio APIs in Android version
21. Modifying the code to use the new APIs.
Change-Id: I24fdeb20f8f957d05fb6c0c317de0a6f0769c347
Resolve seccomp violation caused by syscall 256
Modify the filter to allow syscall 256 (set_tid_address).
Change-Id: I49461770c4c5e70bf68462d34321381b0b7ead0a
2014-12-02 17:10:00 -05:00
Carsten "Tomcat" Book
cf57e57455
merge mozilla-inbound to mozilla-central a=merge
2014-12-08 12:48:58 +01:00
ffxbld
15713eb9bb
No bug, Automated HPKP preload list update from host bld-linux64-spot-132 - a=hpkp-update
2014-12-06 03:20:43 -08:00
ffxbld
6e96f60fd3
No bug, Automated HSTS preload list update from host bld-linux64-spot-132 - a=hsts-update
2014-12-06 03:20:41 -08:00
Cykesiopka
83c04b6586
Bug 1085074 - Part 3 - Update inadequately sized Delegated Signer cert. r=briansmith
2014-12-07 20:42:00 +01:00
Cykesiopka
ee0a49c7ee
Bug 1085074 - Part 2 - Use explicit bit sizes for key size cert file names. r=briansmith
2014-12-07 20:41:00 +01:00
Cykesiopka
b42aa85de9
Bug 1085074 - Part 1 - Use adequate/OK and inadequate/notOK to refer to sizes for key size tests. r=briansmith
2014-12-07 20:23:00 +01:00
David Keeler
d9a62a4cc2
bug 1020237 - follow-up to fix build bustage r=bustage on a CLOSED TREE
2014-12-05 10:12:58 -08:00
David Keeler
d97c7ea664
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
2014-12-04 13:37:01 -08:00
Brian Smith
fc17106cf0
Bug 970542, Part 9: Better document name constraints as reference IDs, r=keeler
...
--HG--
extra : rebase_source : 60413188771454081226d58d03156c15ce795ca7
2014-10-26 11:26:26 -07:00
Brian Smith
65284e98f6
Bug 970542, Part 8: IPAddress name constraint tests, r=keeler
...
--HG--
extra : rebase_source : e8cc0158248d4621da19dfef56089957af417f73
2014-10-26 16:57:00 -07:00
Brian Smith
5fac205908
Bug 970542, Part 7: More CN-ID name constraint tests, r=keeler
...
--HG--
extra : rebase_source : 7a3d1d31cdc08ea1b989428cfc85f60a00528c72
2014-12-03 21:35:29 -08:00
Brian Smith
ac1c16b716
Bug 970542, Part 6: DNSName name constraint tests, r=keeler
...
--HG--
extra : rebase_source : ec31862fc25cfcba1454ae862a26e7a27513e9b6
2014-10-19 23:53:45 -07:00
Brian Smith
7dd909b9e5
Bug 970542, Part 5: New name constraint implementation, r=keeler, r=mmc
...
--HG--
extra : rebase_source : 849161ac892b05e5ff2d5552c632fc647d309085
2014-10-18 15:38:42 -07:00
Brian Smith
2e28de4900
Bug 970542, Part 4: DirectoryName name constraint matching, r=keeler
...
--HG--
extra : rebase_source : 01770088851823ae1005227dcd43d82d015f4b0e
2014-10-18 14:51:37 -07:00
Brian Smith
39a86a3659
Bug 970542, Part 3: IPAddress name constraint matching, r=keeler
...
--HG--
extra : rebase_source : f47ef9ead3323704595b91873811d1ead2403839
2014-10-17 13:02:26 -07:00
Brian Smith
8b38009a34
Bug 970542, Part 2: DNSName name constraint matching, r=keeler
...
--HG--
extra : rebase_source : 50b1a7d5d9da97cc64e09d5e6cdc41b8200c3551
2014-10-20 22:20:58 -07:00
Brian Smith
8d8b1cf373
Bug 970542, Part 1: Refactor name matching within CN AVAs to reduce duplicate logic, r=keeler
...
--HG--
extra : rebase_source : f129b24c58377f34ac7d80ee7d5e8775635843ff
2014-10-16 16:44:27 -07:00
Steven Michaud
08c8931f01
Bug 1083284 - New sandbox rules for Adobe's code fragment. r=areinald
2014-12-08 12:10:14 -06:00
Bob Owen
e4d5592832
Bug 1105729: Pre VS2010 SP1 define our own verion of _xgetbv. r=tabraldes
2014-11-28 18:58:33 +00:00
Cykesiopka
8f08848fe0
Bug 1009158 - Fix and re-enable PSM xpcshell tests that would previously time out on Android due to LD_LIBRARY_PATH issues. r=keeler
2014-12-03 09:15:00 +01:00
Masatoshi Kimura
629560ff5f
Bug 1102632 - Stop triggering non-secure fallback for SSL_ERROR_UNSUPPORTED_VERSION. r=keeler
2014-12-02 20:33:24 +09:00
Kai Engert
c82a68a468
Bug 1088969
- Upgrade Mozilla 36 to use NSS 3.17.3, changing version numbers, only.
2014-12-01 14:34:08 +01:00
Jan Beich
296c205c71
Bug 1105851 - Unbreak non-unified non-SPS build after 1054498. r=jcj
2014-11-30 21:27:45 +01:00
Bob Owen
986cd576ef
Bug 1094667: Use the USER_NON_ADMIN access token by default for the Windows content sandbox. r=tabraldes
2014-11-29 17:12:18 +00:00
Bob Owen
ba7a2fa911
Bug 928044 Part 3: Add logging changes back into the Chromium interception code. r=tabraldes
2014-11-29 17:12:18 +00:00
Bob Owen
b539721eb8
Bug 928044 Part 2: Enable the content sandbox by default on Windows with an open policy. r=tabraldes,glandium,jimm
...
--HG--
rename : security/sandbox/win/src/warnonlysandbox/wosCallbacks.h => security/sandbox/win/src/logging/loggingCallbacks.h
rename : security/sandbox/win/src/warnonlysandbox/wosTypes.h => security/sandbox/win/src/logging/loggingTypes.h
rename : security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.cpp => security/sandbox/win/src/logging/sandboxLogging.cpp
rename : security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.h => security/sandbox/win/src/logging/sandboxLogging.h
2014-11-29 17:12:18 +00:00
Bob Owen
888a5871f3
Bug 928044 Part 1: Remove Chromium interception logging changes. r=tabraldes
2014-11-29 17:12:17 +00:00
ffxbld
40b044ec36
No bug, Automated HPKP preload list update from host b-linux64-ix-0005 - a=hpkp-update
2014-11-29 03:19:59 -08:00
ffxbld
08ee5c96d7
No bug, Automated HSTS preload list update from host b-linux64-ix-0005 - a=hsts-update
2014-11-29 03:19:56 -08:00
Kai Engert
ea326643ff
Bug 1088969
- Upgrade Mozilla 36 to use NSS 3.18, land beta 4 which backs out bug 1073330
2014-11-28 07:56:26 +01:00
Carsten "Tomcat" Book
4155be994b
Backed out changeset 761071f57ab6 (bug 1024809) for emulator ics bustage
2014-11-27 16:30:41 +01:00
Mark Goodwin ext:(%2C%20Harsh%20Pathak%20%3Chpathak%40mozilla.com%3E)
ce5a887c60
Bug 1024809 - (OneCRL) Create a blocklist mechanism to revoke intermediate certs. r=keeler,Unfocused
2014-11-27 04:12:00 +01:00
Masatoshi Kimura
d7c9eae1c7
Bug 1092998 - Followup to address review comments. r=keeler
2014-11-27 21:39:33 +09:00
Bob Owen
c0ebc7a31b
Bug 1027902: Use an intial integrity level of low for the GMP sandbox on Windows. r=tabraldes
2014-11-27 08:44:45 +00:00
Blake Kaplan
e4c077f303
Bug 582297 - Make <keygen> work in e10s. r=billm/dkeeler
2014-11-26 14:28:28 -08:00
Masatoshi Kimura
8277eea9e9
Bug 1092998 - Deal with "cipher mismatch intolerant" servers. r=keeler
2014-11-27 07:19:11 +09:00
Rob Stradling
8313a4cfa7
bug 1104109 - follow-up to fix new EV OID description strings (they need to match if the OIDs are the same) r=keeler
2014-11-26 11:28:17 -08:00
Bob Owen
2a1adf9b3e
Bug 1041775 Part 3: Re-apply pre-vista stdout/err process inheritance change to Chromium code after merge. r=tabraldes
...
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/f94a07671389
2014-11-18 15:11:47 +00:00
Bob Owen
44cdc5f024
Bug 1041775 Part 2: Re-apply warn only sandbox changes to Chromium code after merge. r=tabraldes
...
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/e7eef85c1b0a
https://hg.mozilla.org/mozilla-central/rev/8d0aca89e1b2
2014-11-18 15:09:55 +00:00
Bob Owen
ba0931eb1d
Bug 1041775 Part 1: Update Chromium sandbox code to commit 9522fad406dd161400daa518075828e47bd47f60. r=jld,aklotz,glandium
...
--HG--
rename : security/sandbox/chromium/sandbox/linux/sandbox_export.h => security/sandbox/chromium/sandbox/sandbox_export.h
2014-11-18 13:48:21 +00:00
Cykesiopka
d7fafcac42
Bug 1103336 - Fix and re-enable PSM xpcshell tests that don't use add_tls_server_setup() on Android. r=dkeeler
2014-11-22 00:08:00 +01:00
J.C. Jones
fa8441a0a9
Bug 1104109 - December 2014 batch of EV root CA Changes. r=keeler
2014-11-24 16:36:00 +01:00
Richard Barnes
3134cd4342
Bug 968817 - Only accept certs for server TLS which use EKU (and which assert the TLS Server Authentication EKU) r=keeler
2014-11-24 20:33:50 -05:00
Jed Davis
1b16fc180f
Bug 1101170 - Move Linux sandbox code into plugin-container on desktop. r=kang r=glandium
...
Specifically:
* SandboxCrash() uses internal Gecko interfaces, so stays in libxul.
* SandboxInfo moves to libxul from libmozsandbox, which no longer exists.
* Where libxul calls Set*Sandbox(), it uses weak symbols.
* Everything remains as it was on mobile.
2014-11-24 15:22:13 -08:00
Jed Davis
2fdd7150c1
Bug 1101170 - Move sandbox status info into a separate module. r=kang r=glandium
...
This changes the interface so that the code which determines the flags
can live in one place, but checking the flags doesn't need to call into
another library.
Also removes the no-op wrappers for Set*Sandbox when disabled at build
time; nothing used them, one of them was unusable due to having the wrong
type, and all they really accomplish is allowing sloppiness with ifdefs
(which could hide actual mistakes).
2014-11-24 15:22:13 -08:00
Richard Barnes
a5cf3d5e45
Bug 1088255 - Collect telemetry on CAs that appear in valid cert chains r=keeler
2014-11-07 16:26:46 -05:00
Carsten "Tomcat" Book
972242692b
merge mozilla-inbound to mozilla-central a=merge
2014-11-24 13:30:23 +01:00
ffxbld
5e4279519a
No bug, Automated HPKP preload list update from host bld-linux64-spot-132 - a=hpkp-update
2014-11-22 03:19:44 -08:00
ffxbld
8733524dee
No bug, Automated HSTS preload list update from host bld-linux64-spot-132 - a=hsts-update
2014-11-22 03:19:41 -08:00
Kai Engert
6aea7c3edf
Bug 1088969
- Upgrade Mozilla 36 to use NSS 3.18 - NSS_3_18_BETA3, r=wtc
2014-11-20 20:29:15 +01:00
Carsten "Tomcat" Book
9401e46090
Backed out changeset 1aebb84c8af1 (bug 1041775) for Windows 8 PGO Build Bustage on a CLOSED TREE
...
--HG--
rename : security/sandbox/chromium/sandbox/sandbox_export.h => security/sandbox/chromium/sandbox/linux/sandbox_export.h
2014-11-20 16:11:56 +01:00
Carsten "Tomcat" Book
345b36dfd5
Backed out changeset ec63befb3ad7 (bug 1041775)
2014-11-20 16:11:12 +01:00
Carsten "Tomcat" Book
0100273df4
Backed out changeset ebe866ff8a44 (bug 1041775)
2014-11-20 16:11:06 +01:00
David Keeler
3cd3e496aa
bug 1079436 - fix validThrough as returned by VerifyEncodedOCSPResponse r=briansmith
...
validThrough should now be the time through which, if passed in as the given
time to validate an OCSP response at, VerifyEncodedOCSPResponse will still
consider it trustworthy. After that time, it will be expired. This makes it
so the OCSP cache compares validity period responses consistently with
mozilla::pkix.
2014-11-21 10:43:43 -08:00
Bob Owen
e5b2da099b
Bug 1041775 Part 3: Re-apply pre-vista stdout/err process inheritance change to Chromium code after merge. r=tabraldes
...
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/f94a07671389
2014-11-18 15:11:47 +00:00
Bob Owen
9559e348ee
Bug 1041775 Part 2: Re-apply warn only sandbox changes to Chromium code after merge. r=tabraldes
...
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/e7eef85c1b0a
https://hg.mozilla.org/mozilla-central/rev/8d0aca89e1b2
2014-11-18 15:09:55 +00:00
Bob Owen
af79dfc438
Bug 1041775 Part 1: Update Chromium sandbox code to commit 9522fad406dd161400daa518075828e47bd47f60. r=jld,aklotz
...
--HG--
rename : security/sandbox/chromium/sandbox/linux/sandbox_export.h => security/sandbox/chromium/sandbox/sandbox_export.h
2014-11-18 13:48:21 +00:00
David Keeler
ab80d0c717
bug 1091232 - update PSM data structures that are affected by root CA changes r=mmc
2014-11-18 16:41:18 -08:00
Cykesiopka
7531911bed
Bug 1089305 - Switch EV tests to SQL DB and partially clean up scripts. r=keeler
2014-11-17 21:12:00 +01:00
Monica Chew
419fa97eb6
Bug 1092606: Filter out duplicate pinsets as well as domains (r=keeler)
2014-11-17 12:54:42 -08:00
Kai Engert
63ef926a61
Bug 1088969
- Upgrade Mozilla 36 to use NSS 3.18 - NSS_3_18_BETA2
2014-11-17 14:57:45 +01:00
Cykesiopka
ff26474af6
Bug 1084606 - Allow overrides for MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE. r=dkeeler
2014-11-11 00:59:00 +01:00
Gregory Szorc
17920b30c8
Merge inbound to m-c; a=merge
...
--HG--
extra : amend_source : 2e89bf359e356566aee6b04bb864979539e1c90d
2014-11-15 13:57:08 -08:00
ffxbld
4bccbd33d3
No bug, Automated HPKP preload list update from host b-linux64-ix-0011 - a=hpkp-update
2014-11-15 03:21:19 -08:00
ffxbld
1ffd463d9d
No bug, Automated HSTS preload list update from host b-linux64-ix-0011 - a=hsts-update
2014-11-15 03:21:16 -08:00
David Keeler
ceaa910cc6
bug 940994 - follow-up to fix some issues that were missed in review r=mmc
2014-11-14 16:46:23 -08:00
Monica Chew
f991b325aa
Bug 1098288: Enable pinning on spideroak (r=keeler)
2014-11-14 11:17:40 -08:00
Masatoshi Kimura
6887042777
Bug 1094495 - Disable C4480 in security/pkix. r=keeler
2014-11-12 07:41:42 +09:00
Cykesiopka
36057e75f9
Bug 1057035 - Fix terminology used in the certificate exception dialog. r=keeler
2014-10-27 21:06:00 -04:00
Masatoshi Kimura
6a185fd3d7
Bug 1093595 - Change strings to add a description about weak encryption. r=dolske
2014-11-11 07:29:44 +09:00
Masatoshi Kimura
9a7fd683bc
Bug 1093595 - Treat SSL3 and RC4 as broken. r=keeler
2014-11-11 07:29:44 +09:00
Carsten "Tomcat" Book
2f5bf545b6
merge mozilla-inbound to mozilla-central a=merge
2014-11-10 14:24:51 +01:00
ffxbld
c53adb3b3f
No bug, Automated HPKP preload list update from host bld-linux64-spot-144 - a=hpkp-update
2014-11-08 03:20:20 -08:00
ffxbld
52c804c4de
No bug, Automated HSTS preload list update from host bld-linux64-spot-144 - a=hsts-update
2014-11-08 03:20:17 -08:00