Commit Graph

14846 Commits

Author SHA1 Message Date
Andrew McCreight
d25c3b20ae Bug 1598787 - Rename XRE_ChildProcessTypeToString to XRE_GeckoProcessTypeToString. r=froydnj
This function works on all GeckoProcessTypes, not just those for child
processes.

Differential Revision: https://phabricator.services.mozilla.com/D54375

--HG--
extra : moz-landing-system : lando
2019-11-25 22:45:31 +00:00
Coroiu Cristina
0356c7a1b5 Backed out changeset 8f52344661fe (bug 1598787) for build bustages at build/src/tools/fuzzing/faulty/Faulty.cpp on a CLOSED TREE 2019-11-26 00:22:28 +02:00
Andrew McCreight
b8c9932d5b Bug 1598787 - Rename XRE_ChildProcessTypeToString to XRE_GeckoProcessTypeToString. r=froydnj
This function works on all GeckoProcessTypes, not just those for child
processes.

Differential Revision: https://phabricator.services.mozilla.com/D54375

--HG--
extra : moz-landing-system : lando
2019-11-25 17:24:46 +00:00
Emma Malysz
ae7be05784 Bug 1596869, rename .xul files in security/manager to .xhtml r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D54198

--HG--
rename : security/manager/pki/resources/content/certManager.xul => security/manager/pki/resources/content/certManager.xhtml
rename : security/manager/pki/resources/content/certViewer.xul => security/manager/pki/resources/content/certViewer.xhtml
rename : security/manager/pki/resources/content/changepassword.xul => security/manager/pki/resources/content/changepassword.xhtml
rename : security/manager/pki/resources/content/clientauthask.xul => security/manager/pki/resources/content/clientauthask.xhtml
rename : security/manager/pki/resources/content/deletecert.xul => security/manager/pki/resources/content/deletecert.xhtml
rename : security/manager/pki/resources/content/device_manager.xul => security/manager/pki/resources/content/device_manager.xhtml
rename : security/manager/pki/resources/content/downloadcert.xul => security/manager/pki/resources/content/downloadcert.xhtml
rename : security/manager/pki/resources/content/editcacert.xul => security/manager/pki/resources/content/editcacert.xhtml
rename : security/manager/pki/resources/content/exceptionDialog.xul => security/manager/pki/resources/content/exceptionDialog.xhtml
rename : security/manager/pki/resources/content/load_device.xul => security/manager/pki/resources/content/load_device.xhtml
rename : security/manager/pki/resources/content/protectedAuth.xul => security/manager/pki/resources/content/protectedAuth.xhtml
rename : security/manager/pki/resources/content/resetpassword.xul => security/manager/pki/resources/content/resetpassword.xhtml
rename : security/manager/pki/resources/content/setp12password.xul => security/manager/pki/resources/content/setp12password.xhtml
extra : moz-landing-system : lando
2019-11-25 19:37:02 +00:00
ffxbld
97c99c1595 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D54500

--HG--
extra : moz-landing-system : lando
2019-11-25 13:53:13 +00:00
Brindusan Cristian
210f413495 Backed out changeset f90a969f785c (bug 1596869) for bc failures on browser_clientAuth_ui.js. CLOSED TREE
--HG--
rename : security/manager/pki/resources/content/certManager.xhtml => security/manager/pki/resources/content/certManager.xul
rename : security/manager/pki/resources/content/certViewer.xhtml => security/manager/pki/resources/content/certViewer.xul
rename : security/manager/pki/resources/content/changepassword.xhtml => security/manager/pki/resources/content/changepassword.xul
rename : security/manager/pki/resources/content/clientauthask.xhtml => security/manager/pki/resources/content/clientauthask.xul
rename : security/manager/pki/resources/content/deletecert.xhtml => security/manager/pki/resources/content/deletecert.xul
rename : security/manager/pki/resources/content/device_manager.xhtml => security/manager/pki/resources/content/device_manager.xul
rename : security/manager/pki/resources/content/downloadcert.xhtml => security/manager/pki/resources/content/downloadcert.xul
rename : security/manager/pki/resources/content/editcacert.xhtml => security/manager/pki/resources/content/editcacert.xul
rename : security/manager/pki/resources/content/exceptionDialog.xhtml => security/manager/pki/resources/content/exceptionDialog.xul
rename : security/manager/pki/resources/content/load_device.xhtml => security/manager/pki/resources/content/load_device.xul
rename : security/manager/pki/resources/content/protectedAuth.xhtml => security/manager/pki/resources/content/protectedAuth.xul
rename : security/manager/pki/resources/content/resetpassword.xhtml => security/manager/pki/resources/content/resetpassword.xul
rename : security/manager/pki/resources/content/setp12password.xhtml => security/manager/pki/resources/content/setp12password.xul
2019-11-23 10:45:33 +02:00
Emma Malysz
fff53676c8 Bug 1596869, rename .xul files in security/manager to .xhtml r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D54198

--HG--
rename : security/manager/pki/resources/content/certManager.xul => security/manager/pki/resources/content/certManager.xhtml
rename : security/manager/pki/resources/content/certViewer.xul => security/manager/pki/resources/content/certViewer.xhtml
rename : security/manager/pki/resources/content/changepassword.xul => security/manager/pki/resources/content/changepassword.xhtml
rename : security/manager/pki/resources/content/clientauthask.xul => security/manager/pki/resources/content/clientauthask.xhtml
rename : security/manager/pki/resources/content/deletecert.xul => security/manager/pki/resources/content/deletecert.xhtml
rename : security/manager/pki/resources/content/device_manager.xul => security/manager/pki/resources/content/device_manager.xhtml
rename : security/manager/pki/resources/content/downloadcert.xul => security/manager/pki/resources/content/downloadcert.xhtml
rename : security/manager/pki/resources/content/editcacert.xul => security/manager/pki/resources/content/editcacert.xhtml
rename : security/manager/pki/resources/content/exceptionDialog.xul => security/manager/pki/resources/content/exceptionDialog.xhtml
rename : security/manager/pki/resources/content/load_device.xul => security/manager/pki/resources/content/load_device.xhtml
rename : security/manager/pki/resources/content/protectedAuth.xul => security/manager/pki/resources/content/protectedAuth.xhtml
rename : security/manager/pki/resources/content/resetpassword.xul => security/manager/pki/resources/content/resetpassword.xhtml
rename : security/manager/pki/resources/content/setp12password.xul => security/manager/pki/resources/content/setp12password.xhtml
extra : moz-landing-system : lando
2019-11-22 21:17:33 +00:00
Cosmin Sabou
b1bde23dbf Backed out changeset e9d1379c65f5 (bug 1585904) for browser-chrome failures on browser_pageinfo_security.
--HG--
extra : histedit_source : 70a6520faf1fe6c83ae6cba3781d534cc3ae81b6
2019-11-23 01:25:02 +02:00
Carolina
f652812231 Bug 1585904 - Avoids opening the same certificate in multiple tabs each time.r=johannh,nhnt11
Differential Revision: https://phabricator.services.mozilla.com/D50110

--HG--
extra : moz-landing-system : lando
2019-11-22 17:40:18 +00:00
Sean Feng
40b8004e12 Bug 1580304 - Remove nsNSSCertList/nsIX509CertList r=keeler
nsNSSCertList/nsIX509CertList are redundant, and also contructing
them are expensive. so it is replaced by Array<nsIX509Cert>

Differential Revision: https://phabricator.services.mozilla.com/D44245

--HG--
extra : moz-landing-system : lando
2019-11-22 19:25:31 +00:00
ffxbld
533132c23d No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D54125

--HG--
extra : moz-landing-system : lando
2019-11-21 15:29:52 +00:00
Jed Davis
0daa28d9cb Bug 1294286 - Filter clock IDs in clock_getres sandbox rule. r=gcp
The clockid_t type on Linux has a space of values with encode a pid and
refer to various measures of another process's CPU usage; clock_getres
would, thereby, allow probing whether other processes exist.  This is
a relatively small information leak into the sandboxes, but there's no
reason to allow it.

Differential Revision: https://phabricator.services.mozilla.com/D54081

--HG--
extra : moz-landing-system : lando
2019-11-21 08:02:06 +00:00
Jed Davis
a37e31e914 Bug 1598040 - Filter clock IDs in clock_nanosleep sandbox rule. r=gcp
The `clockid_t` type on Linux has a space of values which encode a pid
and allow measuring the CPU usage of other processes; we don't want to
allow sandboxed processes to do that.

Differential Revision: https://phabricator.services.mozilla.com/D54080

--HG--
extra : moz-landing-system : lando
2019-11-21 08:03:17 +00:00
J.C. Jones
58feb56c3d Bug 1592007 - land NSS 1e22a0c93afe UPGRADE_NSS_RELEASE, r=kjacobs
2019-11-19  Craig Disselkoen  <cdisselk@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1586176 - EncryptUpdate should use maxout not block size.
	r=franziskus
	[1e22a0c93afe]

Differential Revision: https://phabricator.services.mozilla.com/D53868

--HG--
extra : moz-landing-system : lando
2019-11-19 22:00:00 +00:00
Emilio Cobos Álvarez
54d06f7dfe Bug 1597792 - Allow clock_nanosleep in the sandbox filter. r=gcp
It seems newer glibc versions implement nanosleep() in terms of
clock_nanosleep(), which broke the profiler due to the sandbox rules
whitelisting the former but not the later.

Unfortunate that the profiler will fail in old Firefox versions though... :/

Differential Revision: https://phabricator.services.mozilla.com/D53879

--HG--
extra : moz-landing-system : lando
2019-11-20 11:22:11 +00:00
Dana Keeler
033df96b5e bug 1596963 - run delegated credentials xpcshell tests serially r=kjacobs
The delegated credentials xpcshell tests use the TLS test server framework,
which currently uses a hard-coded port, so these tests need to run serially.

Differential Revision: https://phabricator.services.mozilla.com/D53301

--HG--
extra : moz-landing-system : lando
2019-11-19 15:15:18 +00:00
Ehsan Akhgari
8909341af2 Bug 1589476 - Emit a separate notification when a tracker from the Level 2 Disconnect blocklist is observed on a page and use this code to avoid using the URL classifer service in the front-end; r=nhnt11,droeh
Differential Revision: https://phabricator.services.mozilla.com/D49660

--HG--
extra : moz-landing-system : lando
2019-11-18 20:56:36 +00:00
ffxbld
a55a956277 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D53414

--HG--
extra : moz-landing-system : lando
2019-11-18 13:25:41 +00:00
Victor Porof
5e32e89575 Bug 1596642 - Use rev instead of both branch and tag for specifying rkv dependency version, r=heycam
Differential Revision: https://phabricator.services.mozilla.com/D53152

--HG--
extra : moz-landing-system : lando
2019-11-16 10:58:34 +00:00
J.C. Jones
2452039365 Bug 1592007 - land NSS e8f2720c8254 UPGRADE_NSS_RELEASE, r=kjacobs CLOSED TREE
2019-11-09  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	bug 1593141 - add validity period beginning argument to
	mozilla::pkix::TrustDomain::CheckRevocation r=jcj

	This allows TrustDomain implementations to make decisions based on
	when the validity period of a certificate began. For instance, if an
	implementation has revocation information that is valid and complete
	as of a particular time, but a certificate's validity period begins
	after that time, the implementation may decide to disregard this
	revocation information on the basis that the information it has
	available cannot possibly apply to that certificate.

	[e8f2720c8254] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D53228

--HG--
extra : histedit_source : 8561f7624eabd6cf2113f5585035e84ff82d26b3
2019-11-15 18:08:09 +01:00
Dana Keeler
13ed5551e3 bug 1594510 - update all TrustDomain implementations in mozilla-central due to the mozilla::pkix API change in bug 1593141 r=mbirghan
Bug 1593141 adds a parameter to mozilla::pkix::TrustDomain::CheckRevocation.
This patch updates all TrustDomain implementations in mozilla-central to
reflect this.

Differential Revision: https://phabricator.services.mozilla.com/D52066

--HG--
extra : moz-landing-system : lando
2019-11-15 18:26:45 +00:00
Tim Nguyen
9d40766fe5 Bug 1596193 - Replace outdated references to XUL textbox. r=dao
Differential Revision: https://phabricator.services.mozilla.com/D53177

--HG--
extra : moz-landing-system : lando
2019-11-15 13:35:14 +00:00
ffxbld
6e44b2aa1e No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D53009

--HG--
extra : moz-landing-system : lando
2019-11-14 23:48:44 +00:00
Sean Feng
3d651bb90e Bug 1578534 - Change nsIX509CertDB.constructX509 to take Array<uint8_t> r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44730

--HG--
extra : moz-landing-system : lando
2019-11-12 20:59:02 +00:00
Gabriele Svelto
6ff1e8b815 Bug 1516367 - Move the minidump-analyzer out of the crash reporter application bundle r=spohl,dmajor
The minidump-analyzer tool was originally conceived to be used from the crash
report client and as such was installed in the crash reporter client
application bundle on macOS. It was later adapted to work from Firefox itself
but this caused linking problems when invoked from the Firefox app bundle.
This patch moves the minidump-analyzer into the Firefox app bundle and adapts
the relevant code to find it there.

The minidump-analyzer was also not signed like the rest of our executables and
this patch addresses that issue too.

Differential Revision: https://phabricator.services.mozilla.com/D52910

--HG--
extra : moz-landing-system : lando
2019-11-14 21:11:59 +00:00
J.C. Jones
696043affe Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
2019-11-13  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen
	r=keeler

	Caused in commit 7ef8d2604494.

	[87f35ba4c82f] [tip]

2019-11-07  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/ctr.c:
	Bug 1592869 - Use NEON for ctr_xor. r=kjacobs

	Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode
	time on Cortex-A72.

	[d244c7287908]

2019-11-12  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c,
	lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c:
	Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj

	A memory leak was reported and confirmed in this bug. However,
	during the "manual" analysis of the flow, another possible leak was
	found. I created a patch for both leaks, added gtests for unexpected
	keySizes and adjusted the general syntax of the gtest file.

	[7ef8d2604494]

2019-11-11  Tom Prince  <mozilla@hocat.ca>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/windows/setup.sh:
	Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj

	[c33b214b2ec8]

2019-11-08  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_dhe_unittest.cc,
	gtests/ssl_gtest/ssl_ecdh_unittest.cc,
	gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c:
	Bug 1566131, check policy against hash algorithms used for
	ServerKeyExchange, r=mt

	Summary: This adds necessary policy checks in
	`ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note
	that it currently doesn't check MD5 as it still needs to be allowed
	in TLS 1.1 or earlier and many tests fail if we change that.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1566131

	[c08947c6af57]

2019-11-08  Kai Engert  <kaie@kuix.de>

	* coreconf/coreconf.dep:
	Dummy change, trigger a build to test latest NSPR commits.
	[e766899c72a5]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1579836 - Execute NSPR tests as part of NSS continuous
	integration. r=jcj
	[46bfbabf7e75]

2019-11-08  Dustin J. Mitchell  <dustin@mozilla.com>

	* automation/taskcluster/graph/npm-shrinkwrap.json,
	automation/taskcluster/graph/package.json,
	automation/taskcluster/graph/src/image_builder.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/tools.sh,
	automation/taskcluster/windows/gen_certs.sh,
	automation/taskcluster/windows/run_tests.sh:
	Bug 1594891 - Updates to run correctly on the new TC deployment
	r=jcj

	* Update the Taskcluster client used in the decision task to one
	that understands Taskcluster rootUrls.
	* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
	  * the absence of this variale signals an "old" worker so we use an
	"old" URL

	[67d630e7cb7c]

2019-11-07  Tom Prince  <mozilla@hocat.ca>

	* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js:
	Bug 1591275: Switch workers to use AWS Provder; r=kjacobs

	[a2bebaad41dd]

2019-11-06  Daiki Ueno  <dueno@redhat.com>

	* gtests/pk11_gtest/pk11_module_unittest.cc:
	Bug 1577803, clang-format, a=bustage
	[c9014b2892d5]

	* gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h,
	lib/util/pkcs11t.h:
	Bug 1577803, pk11wrap: set friendly flag if token implements
	CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea

	Summary: This makes NSS look for CKO_PROFILE object at token
	initialization time to check if it implements the [[ https://docs
	.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf
	| Public Certificates Token profile ]] as defined in PKCS #11 v3.0.
	If it is found, the token is automatically marked as friendly so no
	authentication attempts will be made when accessing certificates.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[b39c8eeabe6a]

2019-11-06  Martin Thomson  <mt@lowentropy.net>

	* lib/freebl/blinit.c, lib/freebl/gcm-ppc.c:
	Bug 1566126 - clang-format, a=bustage
	[6125200fbc88]

2019-11-06  Lauri Kasanen  <cand@gmx.com>

	* lib/freebl/Makefile, lib/freebl/altivec-types.h,
	lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp,
	lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h:
	Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt

	Implementation for POWER8 adapted from the ARM paper:
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf

	Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \
	-v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz.

	NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op
	time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001
	30Mb

	 mode in symmkey opreps cxreps context op time(sec) thrgput
	aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb

	Notable operf results, sw: samples % image name symbol name 226033
	59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so
	rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so
	gcm_HashMult_sftw

	hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233
	11.8853 libfreeblpriv3.so gcm_HashMult_hw

	So the ghash part is ~5.6x faster.

	Signed-off-by: Lauri Kasanen <cand@gmx.com>
	[3d7e509d6d20]

2019-11-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/certdb.c, lib/util/secport.h:
	Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt

	Bug 1588015 introduced in NSPR a new way to ASSERT values where the
	arguments are always used avoiding "unused variable" errors. This
	was implemented in NSS, at certdb.c.

	[73c28cad3dbb]

2019-11-05  Daiki Ueno  <dueno@redhat.com>

	* cpputil/nss_scoped_ptrs.h, gtests/manifest.mn,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk,
	gtests/pkcs11testmodule/manifest.mn,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	gtests/pkcs11testmodule/pkcs11testmodule.def,
	gtests/pkcs11testmodule/pkcs11testmodule.gyp,
	gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp:
	Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea

	Summary: This adds a mock PKCS #11 module from Firefox and add basic
	tests around it. This is needed for proper testing of PKCS #11 v3.0
	profile objects (D45669).

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[0a86945adf74]

Differential Revision: https://phabricator.services.mozilla.com/D52779

--HG--
extra : moz-landing-system : lando
2019-11-14 17:32:27 +00:00
Csoregi Natalia
acb0f164ca Backed out changeset cbd4aa02eba9 (bug 1592007) for failures on browser_startup_mainthreadio.js UPGRADE_NSS_RELEASE . CLOSED TREE 2019-11-14 04:24:57 +02:00
Dana Keeler
cc3995546b bug 1592111 - add the preference "security.osclientcerts.autoload" to control auto-loading the OS client certs module r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D52288

--HG--
extra : moz-landing-system : lando
2019-11-13 21:19:57 +00:00
J.C. Jones
121d80b553 Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
2019-11-13  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen
	r=keeler

	Caused in commit 7ef8d2604494.

	[87f35ba4c82f] [tip]

2019-11-07  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/ctr.c:
	Bug 1592869 - Use NEON for ctr_xor. r=kjacobs

	Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode
	time on Cortex-A72.

	[d244c7287908]

2019-11-12  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c,
	lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c:
	Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj

	A memory leak was reported and confirmed in this bug. However,
	during the "manual" analysis of the flow, another possible leak was
	found. I created a patch for both leaks, added gtests for unexpected
	keySizes and adjusted the general syntax of the gtest file.

	[7ef8d2604494]

2019-11-11  Tom Prince  <mozilla@hocat.ca>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/windows/setup.sh:
	Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj

	[c33b214b2ec8]

2019-11-08  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_dhe_unittest.cc,
	gtests/ssl_gtest/ssl_ecdh_unittest.cc,
	gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c:
	Bug 1566131, check policy against hash algorithms used for
	ServerKeyExchange, r=mt

	Summary: This adds necessary policy checks in
	`ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note
	that it currently doesn't check MD5 as it still needs to be allowed
	in TLS 1.1 or earlier and many tests fail if we change that.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1566131

	[c08947c6af57]

2019-11-08  Kai Engert  <kaie@kuix.de>

	* coreconf/coreconf.dep:
	Dummy change, trigger a build to test latest NSPR commits.
	[e766899c72a5]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1579836 - Execute NSPR tests as part of NSS continuous
	integration. r=jcj
	[46bfbabf7e75]

2019-11-08  Dustin J. Mitchell  <dustin@mozilla.com>

	* automation/taskcluster/graph/npm-shrinkwrap.json,
	automation/taskcluster/graph/package.json,
	automation/taskcluster/graph/src/image_builder.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/tools.sh,
	automation/taskcluster/windows/gen_certs.sh,
	automation/taskcluster/windows/run_tests.sh:
	Bug 1594891 - Updates to run correctly on the new TC deployment
	r=jcj

	* Update the Taskcluster client used in the decision task to one
	that understands Taskcluster rootUrls.
	* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
	  * the absence of this variale signals an "old" worker so we use an
	"old" URL

	[67d630e7cb7c]

2019-11-07  Tom Prince  <mozilla@hocat.ca>

	* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js:
	Bug 1591275: Switch workers to use AWS Provder; r=kjacobs

	[a2bebaad41dd]

2019-11-06  Daiki Ueno  <dueno@redhat.com>

	* gtests/pk11_gtest/pk11_module_unittest.cc:
	Bug 1577803, clang-format, a=bustage
	[c9014b2892d5]

	* gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h,
	lib/util/pkcs11t.h:
	Bug 1577803, pk11wrap: set friendly flag if token implements
	CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea

	Summary: This makes NSS look for CKO_PROFILE object at token
	initialization time to check if it implements the [[ https://docs
	.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf
	| Public Certificates Token profile ]] as defined in PKCS #11 v3.0.
	If it is found, the token is automatically marked as friendly so no
	authentication attempts will be made when accessing certificates.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[b39c8eeabe6a]

2019-11-06  Martin Thomson  <mt@lowentropy.net>

	* lib/freebl/blinit.c, lib/freebl/gcm-ppc.c:
	Bug 1566126 - clang-format, a=bustage
	[6125200fbc88]

2019-11-06  Lauri Kasanen  <cand@gmx.com>

	* lib/freebl/Makefile, lib/freebl/altivec-types.h,
	lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp,
	lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h:
	Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt

	Implementation for POWER8 adapted from the ARM paper:
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf

	Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \
	-v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz.

	NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op
	time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001
	30Mb

	 mode in symmkey opreps cxreps context op time(sec) thrgput
	aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb

	Notable operf results, sw: samples % image name symbol name 226033
	59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so
	rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so
	gcm_HashMult_sftw

	hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233
	11.8853 libfreeblpriv3.so gcm_HashMult_hw

	So the ghash part is ~5.6x faster.

	Signed-off-by: Lauri Kasanen <cand@gmx.com>
	[3d7e509d6d20]

2019-11-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/certdb.c, lib/util/secport.h:
	Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt

	Bug 1588015 introduced in NSPR a new way to ASSERT values where the
	arguments are always used avoiding "unused variable" errors. This
	was implemented in NSS, at certdb.c.

	[73c28cad3dbb]

2019-11-05  Daiki Ueno  <dueno@redhat.com>

	* cpputil/nss_scoped_ptrs.h, gtests/manifest.mn,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk,
	gtests/pkcs11testmodule/manifest.mn,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	gtests/pkcs11testmodule/pkcs11testmodule.def,
	gtests/pkcs11testmodule/pkcs11testmodule.gyp,
	gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp:
	Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea

	Summary: This adds a mock PKCS #11 module from Firefox and add basic
	tests around it. This is needed for proper testing of PKCS #11 v3.0
	profile objects (D45669).

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[0a86945adf74]

Differential Revision: https://phabricator.services.mozilla.com/D52779

--HG--
extra : moz-landing-system : lando
2019-11-13 19:44:56 +00:00
Dana Keeler
a841102f18 bug 1412438 - add preference to disable HPKP by default r=jcj
As Chrome has removed support for the HPKP (HTTP Public Key Pinning) header,
continuing to support it in Firefox is a compatibility risk. This patch adds
the preference "security.cert_pinning.hpkp.enabled" and sets it to false by
default. As such, the platform will no longer process the HPKP header nor
consult any cached HPKP information for certificate pins.
Preloaded (statically-compiled) pins are still enabled in Firefox by default.
This patch also disables dynamically setting pins via our remote security
settings infrastructure, as it uses the same backend and represents similar
compatibility risk.

Differential Revision: https://phabricator.services.mozilla.com/D52773

--HG--
extra : moz-landing-system : lando
2019-11-13 18:35:35 +00:00
Victor Porof
7ef335726f Bug 1594995 - Part 5: Use a safe-mode database for test_cert_storage_preexisting.js, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D52320

--HG--
extra : moz-landing-system : lando
2019-11-13 18:52:37 +00:00
Victor Porof
66c8eaefc1 Bug 1594995 - Part 4: Update cert_storage to use RKV in safe mode, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D52319

--HG--
extra : moz-landing-system : lando
2019-11-13 11:53:03 +00:00
Victor Porof
6e245fe362 Bug 1594995 - Part 2: Update RKV dependency to our safe-mode feature branch, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D52317

--HG--
extra : moz-landing-system : lando
2019-11-13 11:52:28 +00:00
J.C. Jones
3167ebf65d Bug 1592007 - land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs
2019-11-04  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/pk11wrap/pk11cert.c:
	Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj

	Fixed controls to avoid crashes caused by slots possibly without a
	token in pk11_fastCert. Also, improved arguments controls in
	PK11_MakeCertFromHandle.

	[dc9552c2aa77] [tip]

2019-11-01  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_des_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
	Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs

	Summary: Let's make sure the DES IV has the length we expect it to
	have.

	Bug #: 1591742

	[35857ae98190]

2019-11-01  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
	/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
	Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj

	[27a29997f598]

2019-11-01  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs

	Update NSC_Decrypt length in constant time

	[7f578a829b29]

2019-11-01  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1562671 - Limit Master Password KDF iterations for NSS
	continuous integration tests. r=mt
	[c8b490583b86]

	* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Add environment variables to control Master Password
	KDF iteration count. Disable iteration count for legacy DBM storage
	by default. r=rrelyea
	[ced91a705aa3]

2019-11-01  Bob Relyea  <rrelyea@redhat.com>

	* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
	lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Support higher iteration count for Master Password
	KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
	[6619bb43d746]

2019-10-28  Martin Thomson  <mt@lowentropy.net>

	* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
	coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
	lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
	lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
	lib/ssl/ssl.gyp:
	Bug 1590972 - Use -std=c99 for all C code, r=jcj

	This switches to using -std=c99 for compiling all C code.
	Previously, we only enabled this option for lib/freebl and lib/ssl.

	For Linux, this means we need to define _DEFAULT_SOURCE to access
	some of the functions we use. On glibc 2.12 (our oldest supported
	version), we also need to define _BSD_SOURCE to access these
	functions.

	The only tricky part is dealing with partial C99 implementation in
	gcc 4.4. From what I've seen, the only problem is that - in that
	mode - it doesn't support nesting of unnamed fields:
	https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html

	This also switches from -std=c++0x to -std=c++11 as the 0x variant,
	though identical in meaning, is deprecated.

	[dbba7db4b79d]

2019-10-30  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
	Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs

	At the moment NSS assumes that ARM supports NEON extension but this
	is not true and leads to build failure on ARM without NEON
	extension. Add check to assure USE_HW_AES is not defined if ARM
	without NEON extension is used.
	[58f2471ace3b]

2019-10-30  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1575411 - Disable EMS for tests, a=bustage
	[6e5f69781137]

2019-10-29  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_esni_unittest.cc:
	Bug 1590970 - Fix clang-format from
	e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
	[d1e43cb9f227]

2019-10-29  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/ssl/tls13esni.c:
	Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
	r=jcj
	[df5e9021809a]

2019-10-29  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/ssl.h, lib/ssl/sslsock.c:
	Bug 1575411 - Enable extended master secret by default,
	r=jcj,kjacobs

	See the bug for discussion about the implications of this.

	[d1c68498610d]

2019-10-29  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
	Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs

	Summary: The ESNI tests were using time() rather than PR_Now(), so
	they slipped the net when I went looking for bad time functions. Now
	they do the right thing again.

	What we were probably seeing in the intermittents was the case where
	we set the time for most of the SSL functions to PR_Now(), and that
	was just before a second rollover. Then, when time() was called, it
	returned t+1 so the ESNI keys that were being generated in the ESNI
	tests were given a notBefore time that was in the future relative to
	the time being given to the TLS stack. Had the ESNI keys generation
	been given time() - 1 for notBefore, as I have done here, this would
	never have turned up.

	Reviewers: kjacobs

	Tags: #secure-revision

	Bug #: 1590970

	[e7956ee3ba1b]

Differential Revision: https://phabricator.services.mozilla.com/D51858

--HG--
extra : moz-landing-system : lando
2019-11-08 22:00:40 +00:00
ffxbld
46cd67e91a No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D52533

--HG--
extra : moz-landing-system : lando
2019-11-11 14:21:48 +00:00
Kevin Jacobs
b964726542 Bug 1575735 - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate r=keeler
This patch provides Delegated Credential information (authKeyBits and signature scheme) to CertVerifier such that we can enforce a policy check and disallow weak keys in the Delegated Credential.

This information is not passed from http3 - adding this will be done in a separate bug.

Differential Revision: https://phabricator.services.mozilla.com/D47181

--HG--
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key.keyspec => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
extra : moz-landing-system : lando
2019-11-07 22:13:43 +00:00
Haik Aftandilian
757b208866 Bug 1593071 - [macOS] Land different entitlement files for parent and child processes r=spohl
Add separate entitlement files for the browser (aka parent process) and plugin-container processes. Leave the old production and developer entitlement files in place.

Once automation has been updated to use the new process-specific entitlement files (bug 1593072), the older entitlement files can be removed.

Future work will change the process-specific entitlements to be minimized for each process type.

Update codesign.bash to
  1) use the separate browser and plugin-container entitlement files
  2) only sign executables with entitlements, not sign unnecessary files
  3) output to a .dmg instead of a .zip file.

Differential Revision: https://phabricator.services.mozilla.com/D52117

--HG--
extra : moz-landing-system : lando
2019-11-07 13:26:05 +00:00
ffxbld
02b887e62e No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D52150

--HG--
extra : source : 90745d442c4b0885b14449065509484da5de9fe5
2019-11-07 15:36:28 +00:00
Ciure Andrei
98e9f97749 Backed out changeset 90745d442c4b for causing build bustages CLOSED TREE 2019-11-07 18:19:01 +02:00
ffxbld
3d9a3dab4a No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D52150

--HG--
extra : moz-landing-system : lando
2019-11-07 15:36:28 +00:00
Sean Feng
b8410f69c1 Bug 1580318 - Remove nsIX509CertList from verifyCertFinished r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44244

--HG--
extra : moz-landing-system : lando
2019-11-07 14:35:16 +00:00
Gian-Carlo Pascutto
98d994f03d Bug 1591117 - Report ENOSYS on statx, but allow membarrier. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D50623

--HG--
extra : moz-landing-system : lando
2019-11-07 09:21:51 +00:00
Dana Keeler
81beafa0f6 bug 1592532 - reinstate filtering client certificates by usage (reverts behavior from bug 1267643) r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D52062

--HG--
extra : moz-landing-system : lando
2019-11-06 22:50:38 +00:00
Bob Owen
e552a98014 Bug 1580742: Allow sandboxed x86 GMP process to duplicate crashreporter handle to the arm64 main process. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D51985

--HG--
extra : moz-landing-system : lando
2019-11-06 20:25:59 +00:00
Dana Keeler
eba1bc1027 bug 1544244 - disable test_toolkit_securityreporter.js because TLS error reports are disabled by default and it intermittently fails r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D51954

--HG--
extra : moz-landing-system : lando
2019-11-06 02:37:26 +00:00
Haik Aftandilian
b13e5d4ca0 Bug 1576733 - Part 2 - Remove the Hardened Runtime AppleEvent entitlement r=spohl
Revert bug 1570581 by removing the AppleEvent entitlement from our hardened runtime configuration for both production and development.

Now that native messaging helpers are started 'disclaimed' with a new attribution chain, the entitlement is not needed.

Differential Revision: https://phabricator.services.mozilla.com/D48029

--HG--
extra : moz-landing-system : lando
2019-11-06 04:45:03 +00:00
Dana Keeler
4c0babeb5c bug 1550686 - remove nsIBadCertListener2 r=dragana,smaug
Differential Revision: https://phabricator.services.mozilla.com/D51001

--HG--
extra : moz-landing-system : lando
2019-11-06 00:19:14 +00:00
Narcis Beleuzu
88ff18d148 Backed out changeset 1adbdd45d961 (bug 1592007) for bc failures on browser_masterPassword.js UPGRADE_NSS_RELEASE. CLOSED TREE
--HG--
extra : histedit_source : 034b2747d1bffdb2c43a30d563ef4ecbf3f96e39
2019-11-06 03:16:30 +02:00
J.C. Jones
07491e58b7 Bug 1592007 - land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs
2019-11-04  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/pk11wrap/pk11cert.c:
	Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj

	Fixed controls to avoid crashes caused by slots possibly without a
	token in pk11_fastCert. Also, improved arguments controls in
	PK11_MakeCertFromHandle.

	[dc9552c2aa77] [tip]

2019-11-01  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_des_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
	Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs

	Summary: Let's make sure the DES IV has the length we expect it to
	have.

	Bug #: 1591742

	[35857ae98190]

2019-11-01  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
	/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
	Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj

	[27a29997f598]

2019-11-01  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs

	Update NSC_Decrypt length in constant time

	[7f578a829b29]

2019-11-01  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1562671 - Limit Master Password KDF iterations for NSS
	continuous integration tests. r=mt
	[c8b490583b86]

	* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Add environment variables to control Master Password
	KDF iteration count. Disable iteration count for legacy DBM storage
	by default. r=rrelyea
	[ced91a705aa3]

2019-11-01  Bob Relyea  <rrelyea@redhat.com>

	* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
	lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Support higher iteration count for Master Password
	KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
	[6619bb43d746]

2019-10-28  Martin Thomson  <mt@lowentropy.net>

	* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
	coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
	lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
	lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
	lib/ssl/ssl.gyp:
	Bug 1590972 - Use -std=c99 for all C code, r=jcj

	This switches to using -std=c99 for compiling all C code.
	Previously, we only enabled this option for lib/freebl and lib/ssl.

	For Linux, this means we need to define _DEFAULT_SOURCE to access
	some of the functions we use. On glibc 2.12 (our oldest supported
	version), we also need to define _BSD_SOURCE to access these
	functions.

	The only tricky part is dealing with partial C99 implementation in
	gcc 4.4. From what I've seen, the only problem is that - in that
	mode - it doesn't support nesting of unnamed fields:
	https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html

	This also switches from -std=c++0x to -std=c++11 as the 0x variant,
	though identical in meaning, is deprecated.

	[dbba7db4b79d]

2019-10-30  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
	Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs

	At the moment NSS assumes that ARM supports NEON extension but this
	is not true and leads to build failure on ARM without NEON
	extension. Add check to assure USE_HW_AES is not defined if ARM
	without NEON extension is used.
	[58f2471ace3b]

2019-10-30  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1575411 - Disable EMS for tests, a=bustage
	[6e5f69781137]

2019-10-29  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_esni_unittest.cc:
	Bug 1590970 - Fix clang-format from
	e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
	[d1e43cb9f227]

2019-10-29  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/ssl/tls13esni.c:
	Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
	r=jcj
	[df5e9021809a]

2019-10-29  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/ssl.h, lib/ssl/sslsock.c:
	Bug 1575411 - Enable extended master secret by default,
	r=jcj,kjacobs

	See the bug for discussion about the implications of this.

	[d1c68498610d]

2019-10-29  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
	Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs

	Summary: The ESNI tests were using time() rather than PR_Now(), so
	they slipped the net when I went looking for bad time functions. Now
	they do the right thing again.

	What we were probably seeing in the intermittents was the case where
	we set the time for most of the SSL functions to PR_Now(), and that
	was just before a second rollover. Then, when time() was called, it
	returned t+1 so the ESNI keys that were being generated in the ESNI
	tests were given a notBefore time that was in the future relative to
	the time being given to the TLS stack. Had the ESNI keys generation
	been given time() - 1 for notBefore, as I have done here, this would
	never have turned up.

	Reviewers: kjacobs

	Tags: #secure-revision

	Bug #: 1590970

	[e7956ee3ba1b]

Differential Revision: https://phabricator.services.mozilla.com/D51858

--HG--
extra : moz-landing-system : lando
2019-11-05 20:29:59 +00:00
Brindusan Cristian
b135033275 Backed out 2 changesets (bug 1576733) for android build bustages on OSFileConstants.cpp. CLOSED TREE
Backed out changeset 12df7898b0ee (bug 1576733)
Backed out changeset 4ab691bf4228 (bug 1576733)
2019-11-05 21:50:12 +02:00